Hello @Teddy_Brewski ,
As we were facing some HIGH Connection Spikes in our environment, and we were blind - as in not be able to see the traffic at that particular moment it was happening - we've created a script that runs in the background and watches the current connections through time.
Collecting those current connections values, we calculate an average for the last hour, and in case the number of connections from this moment is bigger than the 1hour average plus 25% (or whatever value you can consider a valid increase) then we trigger the data gathering.
Data gathering, it means it's dumping all "$FW ctl conntab " into a file, then we parse that file and report on the top 5 IP's that are source and top 5 IPs that are destination and more than that, on each one from those 5 we report top 10 IP's that hare high connetions.
In other words, if you have a public DNS behind the CheckPoint, and that has high number of connections, then we will show top 10 source IP's towards that DNS server.
This script helped us see what were the spikes we encounter - like 1 - 1.5MIL connections that we got lowered to 200-300K connections now 😁.
All those things are done in the background, and the report get's emailed, plus you can email the FWL connection export (still it's an HUGE file - like 40 - 50Mb) .
So, if this it would help, then let me know and we can discuss this week, share the script here and walk over .
PS: we intend to share that script here on CheckMates, but there are still some parts in work ....