- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Concurrent Connections
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Concurrent Connections
Hi,
I need to know that how to find out concurrent session count per single IP Address.. As a example, how many https session for Single web server concurrently..
Also need to know that, what is the meaning of below highlighted count (Attached snap shot)..
Thanks
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fw ctl conntab | grep ip.add.ress | wc -l from the gateway should do it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fw ctl conntab | grep ip.add.ress | wc -l from the gateway should do it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats a good command, never seen it before.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply. How can I identify that this session is relevant to the service like http https exactly?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Lloyd_Braun Is this result for session count or request count?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's active sessions (i.e. TCP connection is still open).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Number of records refers to the number of log entries in that file.
Of course, the fact you're showing a screenshot from SmartView Tracker tells me you're probably on a pre-R80 release, which is no longer supported.
SmartView Tracker on R8x isn't supported either (though the binaries are still there).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our Management Server is R81.10 and Security Gateway is R80.30. I am using C:\Program Files (x86)\CheckPoint\SmartConsole\R81.10\PROGRAM\CPlgv.exe to track the concurrent sessions.
Is there other method to fulfill my requirement?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even though we include the SmartView Tracker binaries as part of the SmartConsole installation still, it's no longer supported as of R80.
Which means you should find a different way to achieve the same result.
The method @Lloyd_Braun specified is the best way to do it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhoneBoy How can I identify that this session is relevant to the service like http https exactly?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you look at the output of fw ctl conntab, you have your answer:
<(outbound, src=[10.6.5.251,44738], dest=[3.234.44.184,443], TCP); 2503/3600, rule=0, tcp state=DST_FIN, service=nfsd(393), Ifnsin=1, Ifnsout=1, conn modules: Authentication, FG-1, ISP-Redundancy, SynDoSDefender>
This connection is related to https (TCP 443, as bolded in the above output).
If you just want to see the number of https connections from a specific IP, from expert mode:
fw ctl conntab | grep x.y.z.w | grep ",443], TCP" | wc -l
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to determine top ten high concurrent connections? I have high spikes of connections on a regular bases and want to determine the IPs involved during this spike event.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look into sk172229. Also, there are tools like connstat.exe from sk85780, and at least a couple of third-party tools in the ToolBox, by Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will take a look, thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still feel that could be wrong use case from CP perspective and correct one is you will always get it or should get it from your web server directly. I mean any one even just telnetting to server on port 443 and killing session; firewall will keep this entry idle for 3600 seconds as per a default timer and he might not be browsing the pages however firewall could still consider this as a session though not valid.
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Blason_R Currently we are using cloud WAF and only permitted public IP addresses can access the web server. We need to figure out LB issue. Therefore, need to check concurrent session count from the firewall level (Sessions or Request count).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct !! In this case you can easily get the actual hits on your WAF rather than your firewall because firewall is only going to see the traffic single source or pool of ip addresses belongs to your waf cloud provider.
Blason R
CCSA,CCSE,CCCS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Blason_R Yes we can get that information on WAF. Unfortunately App support team inform that, https web traffic is not balancing among the servers (04 web servers). They use Zabbix to monitor their utilization. WAF provide details with TCP connections and Zabbix provides details with per-request. That is why we need to figure out concurrent session count.
Also, is there any way to get old logs detail (Currently we have one month logs in our MGMT) ? like traffic distribution per IP with tcp level...!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You’d have to create a custom report in SmartEvent.
That assumes you’ve logged all the relevant traffic, of course.
cpview might be another option.
Why are you not checking this on the web servers directly, though?