I have question about number of concurrent connections shown in CPView Utility.
CPView utility is nice and for most of my colleagues very easy understable utility for quick performance check. Usually we are running cluster solution and I must admit that it is quite confusing what we can see on Active and Standby nodes about connections. When SecureXL is active it shows only active connections on STANDBY node but not all synchronized connection summary from connection table.
Active node:
Standby node:
This situation is correct according to sk103496:
Symptoms
The number of concurrent connections shown in CPView Utility is less than shown in the output of '
fw ctl pstat' or in the output of 'fw tab -t connections -s' command.The number of concurrent connections shown in CPView Utility differs depending on whether SecureXL is enabled or disabled.
CauseThe command '
fwaccel stats' (counter "C total conns") shows the connections in SecureXL FWAccel module.
The command 'fw ctl pstat' (counter "Concurrent Connections") shows the connections in FW module.CPView Utility is designed to show the actual amount of connections that currently pass through the Security Gateway. This counter is adjusted according to which Check Point kernel module is handling the traffic:
- When SecureXL is enabled, CPView Utility shows the connections from the SecureXL FWAccel module (run the command fwaccel stats | grep "C total conns")
- When SecureXL is disabled, CPView Utility shows the connections from the FW module (run the command fw tab -t connections -s and refer to #VALS column)
The difference in the number of connections when SecureXL is enabled or disabled is due to the fact that:
- SecureXL SIM module does not show certain connections - e.g., ClusterXL synchronization connections.
- FW module does not show certain connections - e.g., Delayed connections.
In addition, the big difference between the output of '
fwaccel conns -s' command and output of 'fwaccel stats | grep "C total conns"' is due to the fact that the command 'fwaccel conns -s' shows both Client-to-Server and Server-to-Client connections, while the command 'fwaccel stats grep "C total conns"'| compresses these connections into one connection.SolutionNo fix is required; the system is functioning as designed.
At least for me it makes sense to see concurent connections equal in CPView for both cluster members. In that case we can see easily that it is synchronized.
Do you know anyone what is behind current design?
Do you prefer to keep it as is or change it to equal view?
Actually that SK does not apply to your question. Cpview is just showing ACTIVE concurrent connections running through your firewall. And since standby firewall will only have a handful of active connections (to/from itself) then output is correct. If you want to see that connections table is more or less the same in the cluster just use
fw tab -t connections -s
that will be fairly close on both.
Cpview will show combined values from fwaccel stat
Actually that SK does not apply to your question. Cpview is just showing ACTIVE concurrent connections running through your firewall. And since standby firewall will only have a handful of active connections (to/from itself) then output is correct. If you want to see that connections table is more or less the same in the cluster just use
fw tab -t connections -s
that will be fairly close on both.
Cpview will show combined values from fwaccel stat
| User | Count |
|---|---|
| 28 | |
| 22 | |
| 19 | |
| 13 | |
| 10 | |
| 9 | |
| 9 | |
| 8 | |
| 6 | |
| 6 |
Mon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopTue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsMon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management Workshop
