- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
I'm struggling to find documentation on interpreting the output of the fwaccel conns table. Src and dst IP addresses and ports are obviously self-explanatory but the rest are not as clear.
Is there any documentation I could be directed to?
Thanks in advance.
That depends:
>=R80.20 sk153832: ATRG: SecureXL for R80.20 and above
< R80.20 sk98722: ATRG: SecureXL
Hello Checkmates
iam also curious about this values and codes .. .furthermore to bring all my traffic to Accelerated Path, not just PXL.
i have seen this:
10.1.14.39 50038 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.22.20 50076 6 ...AC..S...... 1/8 8/1 0 0
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.100.100 55559 10.1.24.1 62061 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.3.65 49161 6 ...AC..S...... 1/8 8/1 1 0
10.1.14.63 50266 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 2 0
10.1.100.100 55559 10.1.22.23 50067 6 ...AC..S...... 1/8 8/1 1 0
what does ......P....... stand for?
what are the number at the end?
i have excluded the TCP Port 55559 from any IPS inspection in the hope have it at Accelerated Path ... but it still all at PXL ...
honestly i dont know what kind of traffic is inside TCP/55559, it must be some kind of database traffic.
any idea what P is ... and how does Accelerated Path woul look like?
best regards
Thomas.
Hello,
update to my question:
......P....... will most likey stand for a dropped/failed/ connection
[Expert@SDAZFW01(active)]# fwaccel conns | grep 10.1.20.103
10.1.20.103 50077 10.1.100.100 55559 6 ......P....... -/- -/- 2 0
10.1.20.103 50082 10.1.100.100 55559 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50082 6 ...AC..S...... 1/8 8/1 0 0
10.1.100.100 55559 10.1.20.103 50077 6 ......P....... -/- -/- 2 0
just saw it in the logs
so my qustion is ...AC..S...... just PXL or Accelerated Path?
P indicates the connection is "partial", which means it exists in the Firewall Worker connections state table but not in the SecureXL connections table. This can happen if a connection already existed when a state change occurred in SecureXL (disabled then enabled, or if other SecureXL features like NAT Templates or Drop Templates had their configuration changed). This is normal and just keeps SecureXL from accidentally dropping those packets, to ensure they reach a Firewall Worker for correct handling; obviously that traffic will not be fully accelerated by SecureXL.
Fully accelerated traffic will normally have no flags set, but A (Accounting), N (NAT), and C (encrypted) may appear depending on the connection attributes and it will still be fully accelerated. Generally speaking the presence of any flags other than these three indicates the connection is not fully accelerated and being handled on a Firewall Worker in the PXL/F2F/QXL paths. So your "...AC..S......" connections are Medium Path (PXL). I don't know what the numbers mean at the end of the line.
You said "I have excluded the TCP Port 55559 from any IPS inspection". If you used an IPS/TP exception to do this it will have no effect on acceleration status; an exception simply changes the decision rendered after inspection. You need to use what I call a "null profile" to make that traffic eligible to be fully accelerated, in your TP policy create a rule matching the 55559 traffic and match it to a TP profile action that has IPS completely unchecked. Even if you do so, there may still be some other blade keeping the traffic from being fully accelerated depending on your configuration.
Dependent on the minor version of your gateway and Jumbo HFA level you may also be able to force the 55559 traffic to be fully accelerated with the "fast_accel" directive, but this option should be exercised with caution.
Yes, the "F" flag means Firewall/F2F path. You can run fwaccel conns -h to see all the possible flags, or see here: sk31404: How to Debug SecureXL.
I ran fwaccel conns -h but I didn't see the flags before I posted my question.
Despite this, thank you.
CUT>>>
...AC..S...... 1/8 8/1 0 0
<<<CUT
A = Shows accounted connections (for which SecureXL counted the number of packets and bytes).
C = Shows encrypted (VPN) connections.
S = Shows connections that undergo PXL.
1/8 = Client to Server interface index 1 in and 8 out
8/1 = Server to Client interface index 8 in and 1 out
0 = Instance
0 = Identity
Available filter flags are:
A - Shows accounted connections (for which SecureXL counted the number of packets and bytes).
a - Shows not accounted connections.
C - Shows encrypted (VPN) connections.
c - Shows clear-text (not encrypted) connections.
F - Shows connections that SecureXL forwarded to Firewall.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
f - Shows cut-through connections (which SecureXL accelerated).
Note - In R80.30/R80.40, SecureXL does not support this parameter.
H - Shows connections offloaded to the SAM card.
Note - R80.30/R80.40, does not support the SAM card (Known Limitation PMTR-18774).
h - Shows connections created in the SAM card.
Note - R80.30/R80.40, does not support the SAM card (Known Limitation PMTR-18774).
L - Shows connections, for which SecureXL created internal links.
l - Shows connections, for which SecureXL did not create internal links.
N - Shows connections that undergo NAT.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
n - Shows connections that do not undergo NAT.
Note - In R80.30/R80.40, SecureXL does not support this parameter.
Q - Shows connections that undergo QoS.
q - Shows connections that do not undergo QoS.
S - Shows connections that undergo PXL.
s - Shows connections that do not undergo PXL.
U - Shows unidirectional connections.
u - Shows bidirectional connections.
P - Shows partial
p - Shows not partial
Hi @Thomas_Eichelbu,
to your question:
P - Shows partial
p - Shows not partial
One thing that is no explained in the documentation is that the C2S i/f and S2C i/f are the interfaces where the packet is received and then transmited by the firewall, in the Client to Server and Server to Client directions. In the end of the list of connections appears another table, mapping the interfaces and the ids associated to each one. For example:
Idx Interface
0 lo
1 eth0
2 eth1
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
16 | |
11 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 | |
4 | |
3 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY