This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
waschminator
Explorer
‎2024-09-19 04:01 AM
Jump to solution

Interpreting fwaccel conns

hi,

if i check out fwaccel conns i get 2 entries per session. fine so far. the weird thing: it is hwoing the same througput in both directions ...this is incorrect in theory. 

we are talking of a filetransfer here and i would have expected maybe 494 GB in one directon and in the other direction maybe 100Mbyte becuase this are just ACKs. can anybody explain this?

 

10.101.68.43 2049 10.222.242.148 34889 6 .........T.L.........  494.05GB 0s 11h28m51s 86400/86400
10.222.242.148 34889 10.101.68.43 2049 6 .........T...........   494.05GB 0s 11h28m51s 86400/86400

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2024-09-20 06:13 AM
In response to waschminator
Jump to solution

The key is the "L" (link) flag on one of those entries in your screenshot.  SecureXL and Check Point in general track what we would consider a "connection" as separate flows of packets.  For a connection not subject to NAT there are just two flows (c2s and s2c).  The second line in your output is the original initiating c2s flow (looks like the 10.222 host initiated a NFS connection to 10.101), and the first line is the corresponding linked s2c response flow for that single NFS connection.  Because the two flows are linked together as being associated with the same connection, many of their elements such as consumed bandwidth, idle timeout, and duration are synchronized which is why they are the same value.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2024-09-19 08:22 AM
Jump to solution

Not sure it's actually supposed to show the directional volume or not.
This probably needs a TAC case to confirm the correct/expected behavior.

0 Kudos
waschminator
Explorer
‎2024-09-19 11:50 PM
In response to PhoneBoy
Jump to solution

thx for reply. it seems that the amount of transported traffic is correct. only the bidirectional stuff seems to be incorrect. but i guess it has something todo with the way this connection is handled within this table.

let´s see if somebody else has experience. worst case i ask our support partner or vendor. 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-09-20 06:13 AM
In response to waschminator
Jump to solution

The key is the "L" (link) flag on one of those entries in your screenshot.  SecureXL and Check Point in general track what we would consider a "connection" as separate flows of packets.  For a connection not subject to NAT there are just two flows (c2s and s2c).  The second line in your output is the original initiating c2s flow (looks like the 10.222 host initiated a NFS connection to 10.101), and the first line is the corresponding linked s2c response flow for that single NFS connection.  Because the two flows are linked together as being associated with the same connection, many of their elements such as consumed bandwidth, idle timeout, and duration are synchronized which is why they are the same value.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
waschminator
Explorer
‎2024-09-23 02:52 AM
In response to Timothy_Hall
Jump to solution

thanks for this explanation and confirmation

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events