This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Djelo_Arnautali
Participant
‎2021-10-26 02:30 AM

No entry in connection or secureXL table!

Hello,

i have a strange issue on Gaia R80.40_T125. I can't find an entry for a specific connection in the connection table nor in the secureXL table. The traffic is passing the firewall and there is a log for that connection on the SMS. Also i cant find the entry in the NAT table for that connection. In the attachement you can see the cppcap output for that flow,the log in the SMS and the outputs from searching the connection and the secureXL table. I searched the connection and secureXL tables after a minute from searching the SMS and finding the log and because it's a TCP connection the timeout should be 3600 seconds so the connection is not timed out and should be in the table.

Where are the information for the connections stored? 🙄

Preview file
55 KB
Preview file
174 KB
Preview file
153 KB
0 Kudos
6 Replies
_Val_
Admin
Admin
‎2021-10-26 03:13 AM

Can you please post "fw tab -t connections | grep..." output? It may not be accelerated at all

 

0 Kudos
Djelo_Arnautali
Participant
‎2021-10-26 03:35 AM
In response to _Val_

 

Hello Val,

in the attached photo 2.jpg there is the output of that command and it's empty.

 

0 Kudos
_Val_
Admin
Admin
‎2021-10-26 03:58 AM
In response to Djelo_Arnautali

You are right, missed that one. Can you try grepping just on the first octet? Also, fw monitor, does it show anything for this host?

0 Kudos
Djelo_Arnautali
Participant
‎2021-10-26 04:35 AM
In response to _Val_

In the attachement 4.png i greped for only the first octet but with no result.This error:failed to read field product started to apper after i installed JHF 125 yesterday. The fw monitor does see the connections and based on the output it is handled by the fw worker 4 (5.png) so it should be in the connection table and not in the secureXL but as you can see i cant find it.

Preview file
33 KB
Preview file
74 KB
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-10-26 07:05 AM
In response to Djelo_Arnautali

First off, you need to pass the -u option to your fw tab -t connections -f command or it will only display the first 50 entries or so.

Also the correct command to view the SecureXL connections table is fwaccel conns, not fwaccel conn.  Note that if a connection is not partially or fully accelerated (i.e. in the F2F path) it will not appear in the output of fwaccel conns at all with a f/F flag marking, this behavior changed in R80.30.

As far as not seeing the connection with fw ctl conntab, you may be running afoul of this: sk126573: Incorrect output of "fw ctl conntab" when CoreXL is enabled

If even with these corrections you still can't find the connection, try looking at the global dispatcher connection table with fw ctl multik gconn.  If you can't find it there something is seriously wrong.  You can also try the undocumented command fw_mux all to look at the connections table from the perspective of the multiplexer/pipeline-based paths.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Djelo_Arnautali
Participant
‎2021-10-29 03:10 AM
In response to Timothy_Hall

I checked the connection table with the parametar -u and also the global dispatcher connection table and the fw_mux all but i cant find my connection. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events