Friday, September 25, 2015

Checkpoint firewall - Connection table analysis

Here are a few commands that I usually use to verify the status of a Checkpoint gateway.

First of all let's check the connections managed by the firewall.


fw tab -t connections -u > /var/log/$(hostname)_Connections_Table.txt 

 copy this file to a Windows machine with connstat.exe 

 Download connstat from Checkpoint 

 Run connstat.exe 

 connStat.exe -f Name_of_Table_File.txt [-a|-c|-s|-r|-l|-p|-d|-n <number>] > Name_of_Output_File.txt

Usage: connStat -f <Table File> [-a|-c|-s|-r|-l|-p|-d|-n <num>]

 -a Show all flags
-c Connection state info
-s Top X Services used
-r Top X Rule used
-l Top X Least Used Rules
-d Top Clients and Servers
-i Interfaces connection directions
-p Top Protocols
-n Specify X

                                                                  
Here is a sample output generated by connstat

Total Number of connections: 21958
============================
Started: 5809
Established: 11986
Closed: 3682
Half Closed: 481

Top 10 Services:
================
Service: 443 Hits: 5877 Rules: 29,400,72,104,100,377,189,330,16,119,198,159,224,332,269,201,105,277,60,241,234,209,352,326,101,199,382,278
Service: 53 Hits: 4544 Rules: 35,73,72,188,189,25,0,101
Service: 9081 Hits: 3021 Rules: 225,240
Service: 80 Hits: 1469 Rules: 331,326,119,72,73,16,101,235,222,60,283,112,278,327,352,330,118,382,386
Service: 8008 Hits: 1083 Rules: 72
Service: 8080 Hits: 891 Rules: 72,101,73,395,66,62,267
Service: 0 Hits: 562 Rules: 16,72,66,73,67,0,195,101
Service: 8010 Hits: 356 Rules: 72
Service: 161 Hits: 267 Rules: 72,73,16,101
Service: 18192 Hits: 249 Rules: 0

Top 10 Rules:
=============
Rule: 240 Hits: 3004       -- this rule should be moved higher
Rule: 72 Hits: 2946
Rule: 29 Hits: 2841
Rule: 105 Hits: 2658
Rule: 00 Hits: 1815
Rule: 73 Hits: 1093
Rule: 35 Hits: 1015
Rule: 188 Hits: 1005
Rule: 331 Hits: 823       -- this rule should be moved higher
Rule: 189 Hits: 624       -- this rule should be moved higher

Top 10 Least Used Rules:
========================
Rule: 234 Hits: 1
Rule: 258 Hits: 1
Rule: 229 Hits: 1
Rule: 127 Hits: 1
Rule: 26 Hits: 1
Rule: 292 Hits: 1
Rule: 348 Hits: 1
Rule: 06 Hits: 1
Rule: 251 Hits: 1
Rule: 187 Hits: 1


The file gives a lot of information that you can study to better optimized the firewall performance



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)