Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Scheer
Participant
Jump to solution

Concurrent Connections

Hi,

I need to know that how to find out concurrent session count per single IP Address.. As a example, how many https session for Single web server concurrently..

Also need to know that, what is the meaning of below highlighted count (Attached snap shot)..

Thanks

 

 
1 Solution

Accepted Solutions
Lloyd_Braun
Collaborator

fw ctl conntab | grep ip.add.ress | wc -l     from the gateway should do it

View solution in original post

18 Replies
Lloyd_Braun
Collaborator

fw ctl conntab | grep ip.add.ress | wc -l     from the gateway should do it

the_rock
Legend
Legend

Thats a good command, never seen it before.

Scheer
Participant

Thanks for your reply. How can I identify that this session is relevant to the service like http https exactly?

Scheer
Participant

@Lloyd_Braun Is this result for session count or request count?

PhoneBoy
Admin
Admin

It's active sessions (i.e. TCP connection is still open).

PhoneBoy
Admin
Admin

Number of records refers to the number of log entries in that file.

Of course, the fact you're showing a screenshot from SmartView Tracker tells me you're probably on a pre-R80 release, which is no longer supported.
SmartView Tracker on R8x isn't supported either (though the binaries are still there).

Scheer
Participant

Our Management Server is R81.10 and Security Gateway is R80.30. I am using C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\PROGRAM\CPlgv.exe to track the concurrent sessions.

Is there other method to fulfill my requirement?

PhoneBoy
Admin
Admin

Even though we include the SmartView Tracker binaries as part of the SmartConsole installation still, it's no longer supported as of R80.
Which means you should find a different way to achieve the same result.

The method @Lloyd_Braun specified is the best way to do it.

Scheer
Participant

@PhoneBoy How can I identify that this session is relevant to the service like http https exactly?

PhoneBoy
Admin
Admin

If you look at the output of fw ctl conntab, you have your answer:

<(outbound, src=[10.6.5.251,44738], dest=[3.234.44.184,443], TCP); 2503/3600, rule=0, tcp state=DST_FIN, service=nfsd(393), Ifnsin=1, Ifnsout=1, conn modules: Authentication, FG-1, ISP-Redundancy, SynDoSDefender>

This connection is related to https (TCP 443, as bolded in the above output).
If you just want to see the number of https connections from a specific IP, from expert mode:

fw ctl conntab | grep x.y.z.w | grep ",443], TCP" | wc -l

 

genisis__
Leader Leader
Leader

Is there a way to determine top ten high concurrent connections?  I have high spikes of connections on a regular bases and want to determine the IPs involved during this spike event.

_Val_
Admin
Admin

Look into sk172229. Also, there are tools like connstat.exe from sk85780, and at least a couple of third-party tools in the ToolBox, by Heiko

genisis__
Leader Leader
Leader

Will take a look, thanks.

Blason_R
Leader
Leader

I still feel that could be wrong use case from CP perspective and correct one is you will always get it  or should get it from your web server directly. I mean any one even just telnetting to server on port 443 and killing session; firewall will keep this entry idle for 3600 seconds as per a default timer and he might not be browsing the pages however firewall could still consider this as a session though not valid.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Scheer
Participant

@Blason_R Currently we are using cloud WAF and only permitted public IP addresses can access the web server. We need to figure out LB issue. Therefore, need to check concurrent session count from the firewall level (Sessions or Request count).

Blason_R
Leader
Leader

Correct !! In this case you can easily get the actual hits on your WAF rather than your firewall because firewall is only going to see the traffic single source or pool of ip addresses belongs to your waf cloud provider.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Scheer
Participant

@Blason_R Yes we can get that information on WAF. Unfortunately App support team inform that, https web traffic is not balancing among the  servers (04 web servers). They use Zabbix to monitor their utilization. WAF provide details with TCP connections and Zabbix provides details with per-request. That is why we need to figure out concurrent session count.

Also, is there any way to get old logs detail (Currently we have one month logs in our MGMT) ? like traffic distribution per IP with tcp level...!

PhoneBoy
Admin
Admin

You’d have to create a custom report in SmartEvent.
That assumes you’ve logged all the relevant traffic, of course.

cpview might be another option.

Why are you not checking this on the web servers directly, though?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events