Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kaspars_Zibarts
Authority
Authority

How to manually delete an entry from the Connections Table

Not that you really need to use this often but it has saved my day once or twice a year. Great SK103876 is available but in a stressful situation calculating HEX numbers is the last thing you want to do and then compiling a complex command out of it is even more challenging 

This one-liner actually gives you an opportunity to generate all fw tab kill commands in one file for a pair of given IP addresses. Tested on R80.10 GW but I'm fairly confident it would work in R77. 

 

IPA="x.x.x.x"; IPB="y.y.y.y"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk  '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall

 

You will need to dump all your current connections into a file called table first of course. You may add this to front of the above to make it true one-liner.. But I found it easier to do this in two steps as you have more control

 

fw tab -t connections -u > table

 

And result is in file called listofall. Then you just execute those commands by copy-paste for example or chmod the file itself and run it.

 

Here's an example 

 

manually clear connections

 

And of course, you can add port numbers if needed

15 Replies
PhoneBoy
Admin
Admin

Bravo!

EdesLC
Collaborator

Nice.

Simon_Garay
Contributor

Thank you very much for sharing this information. 

MKIT_NMG
Participant

Modified it a bit, it's still ugly but we don't have to do anything now, apart from providing the values for IPA & IPB

#!/bin/bash

#Dump latest copy of connection table
fw tab -t connections -u > table

#Read input for IPA & IPB values
read -p "IPA: " IPAI
read -p "IPB: " IPBI

#The Decimal to Hex conversion takes place and generates the command file
IPA=${IPAI}; IPB=${IPBI}; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk  '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall

#Execute commands generated in the file
/bin/bash listofall

taladrovs
Explorer

Hi,

Great post!

I tried to use this on R80.20 version but it didn´t work. Can anyone knows if I have to change something in the script?

Captura.PNG

 Thanks a lot.

 

0 Kudos
Duc_Nguyen_Anh
Explorer

Greate !!

Many thank,

0 Kudos
Brandon_Cotter
Contributor

This really really saved the day for me today after SIP issues following a policy install (sk140112 "Traffic is dropped with error: "fw_handle_old_conn_recovery Reason: old packet rulebase drop"" for the Googlers). Thank you so much!
0 Kudos
Lukas_Sosnovec
Contributor

Hi Brandon,

I am facing the same problem, after policy install SIP VoIP streams is dropped on old packer rulebase drop, although the newly installed policy allows it. Deleting the connections from the fw table resolves the issue, so does rebooting the VoIP gateways. It seems that the old SIP sessions which can be active for a long time are somehow disrupted after policy install so the firewall 'forgets' corresponding UDP ports for VoIP data stream and I have to force the SIP session to be initiated again.

This happens only sometimes, I didn't figure the conditions yet.

Did you make any progress with this issue?

0 Kudos
Kaspars_Zibarts
Authority
Authority

Hi Lukas - it's not really relevant to the topic here 🙂 best would we to start a new thread.

But my two cents: check the settings on connectivity persistence 

image.png

0 Kudos
Lukas_Sosnovec
Contributor

Hi Kaspar, I tried it already and it seem to help. But from the security view this can be considered just as a w/a...

Thanks for your point, i will no longer spam here and create a new thread.

0 Kudos
_Daniel_
Contributor

A wonderful post which saved us after changing a NAT rule to not to NAT but kept natting based on existing connections.

It was perfectly tested on R80.30

THANK you

Andrew_Rawlinso
Explorer

Hi @Kaspars_Zibarts how would you go about using this including port numbers? We have a need to reset some connections coming in from particular source ports but leaving the other connections in place.

0 Kudos
Kaspars_Zibarts
Authority
Authority

You can try this, seems to do the trick, I have highlighted the changed sections

 

IPA="x.x.x.x"; IPB="y.y.y.y"; SPORT="zzz"; DPORT="zzz"; SPORTHEX=`printf '%08x' ${SPORT}`; DPORTHEX=`printf '%08x' ${DPORT}`; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "$SPORTHEX" | grep "$DPORTHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}' |sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall

Andrew_Rawlinso
Explorer

Thank you for your quick response - we will give this a try. Really appreciate the help.

0 Kudos
akhhc
Explorer

Here's how to clear sessions on Check Point Maestro. I was only concerned with traffic between IPA and IPB, no matter what port is was on, so I removed that part of your script.

# let's work in the temp directory
cd /var/log/tmp
# collect the tables from all SGMs in Maestro cluster, save to a file called 'table'
g_fw tab -t connections -u > table
# filter for IP addresses we wish to clear, format the command, save to a file called 'listofall'
IPA="10.1.1.1"; IPB="10.2.2.2"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}' |sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall
# copy command file to all SGMs
asg_cp2blades /var/log/tmp/listofall
# run script on all SGMs
g_all bash /var/log/tmp/listofall
# you will get errors for 'not found in table connections' these can be ignored.

 

0 Kudos