This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamilazat
Advisor
‎2024-10-22 06:01 AM

Unrealistic number sent on SNMP

Hello everyone!

Could anyone illuminate me if the number I see in Skyline actually is realistic?

We see a "P" suffix in TCP Established column in cpview:

 

1.png

 

And in Skyline we see this number:

2.png

 

Now, I'm pretty sure that the "P" doesn't stand for Psycho. But the number we see there surely is!

asg_perf -v shows this:

Screenshot 2024-10-22 155846.png

To be honest, I want to say that there is no problem, given the numbers here. But without knowing what P means, I can't really be confident.

Any opinions would be much appreciated.

 

Cheers!

 

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2024-10-22 06:37 AM

Which SNMP (OID) number are you comparing, are you confusing Skyline vs SNMP?

CCSM R77/R80/ELITE
0 Kudos
kamilazat
Advisor
‎2024-10-24 12:08 AM
In response to Chris_Atkinson

Hi @Chris_Atkinson sorry for the late answer. 

We have monitoring configured via Skyline (metrics from cpview are sent from the SGM to the Prometheus DB, after which they are visualized in Grafana).

Do you happen to know what "P" stands for in cpview?

0 Kudos
the_rock
Legend
Legend
‎2024-10-22 06:48 AM

I know P is for push in tcpdump, but here, comparing screenshots you sent, from the 2nd one, number matches in billions, so logically, sounds like it would imply 15 billion packets? Just my ecucated guess...

Andy

0 Kudos
kamilazat
Advisor
‎2024-10-24 01:32 AM
In response to the_rock

Hi @the_rock I've tested the behavior of the "TCP Established" column in a lab, and the moment connections close, the number decreases. And it increases as new connections are made (I wrote a bash script to create concurrent connections).

Could it be that that Maestro is receiving an attack? 

0 Kudos
kamilazat
Advisor
‎2024-10-27 11:08 AM
In response to the_rock

I think that number means "Peta", considering the number in Grafana starts with the same 5 digits. At least math check out there. So this means SNMPD actually sends the correct number ("18446P") from CPView.

Then my question is, whether the value in TCP Establised column decreases as the connections close. In my lab, I tried establishing some 500 connections from a host and I see the increase in numbers, but when I close the connections it goes back down. 

So which one is the correct behavior, the total values of all times, or only the value of active TCP connections?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top