fw tab

Description

Shows data from the specified Security Gateway kernel tables.

This command also lets you change the content of dynamic kernel tables. You cannot change the content of static kernel tables.

Kernel tables (also known as State tables) store data that the Firewall and other Software Blades use to inspect packets. These kernel tables are a critical component of Stateful Inspection.

Notes:

Use the fw tab -t connections -f command if you want to see the detailed (and more technical) information about the current connections in the Connections kernel table (ID 8158).
Use the fw ctl conntab command if you want to see the simplified information about the current connections in the Connections kernel table (ID 8158).

Syntax

fw [-d]

{-h | -help}

[-v] [-t <Table>] [-c | -s] [-f] [-o <Output File>] [-r] [-u | -m <Limit>] [-a -e <Entry>] [ -x [-e <Entry>]] [-y] [<Name of Object>]

Parameters

Parameter	Description
`-d`	Runs the command in debug mode. Use only if you troubleshoot the command itself.
`{-h \| -help}`	Shows the built-in usage.
`-t <`Table`>`	Specifies the kernel table by its name of unique ID. To see the names and IDs of the available kernel tables, run: `fw tab -s` Because the output of this command is very long, we recommend to redirect it to a file. For example: `fw tab -s > /tmp/output.txt`
`-a -e <`Entry`>`	Adds the specified entry to the specified kernel table. If a kernel table has the `expire` attribute, when you add an entry with the "`-a -e <`Entry`>`" parameter, the new entry gets the default table timeout. You can use this parameter only on the local Security Gateway. Caution - If you add a wrong entry, you can make your Security Gateway unresponsive.
`-c`	Shows formatted kernel table data in the common format. This is the default.
`-e <`Entry`>`	Specifies the entry in the kernel table. Important - Each kernel table has its own internal format.
`-f`	Shows formatted kernel table data. For example, shows: All IP addresses and port numbers in the decimal format. All dates and times in human readable format. Note - Each table can use a different style. Important - If the specified kernel table is large, this consumes a large amount of RAM. This can make your Security Gateway unresponsive.
`-o <`Output File`>`	Saves the output in the specified file in the CL format as a Check Point Firewall log. You can later open this file with the `fw log` command. If you do not specify the full path explicitly, this command saves the output file in the current working directory.
`-m <`Limit`>`	Specifies the maximal number of kernel table entries to show. This command counts the entries from the beginning of the kernel table.
`-r`	Resolves IP addresses in the formatted output.
`-s`	Shows a short summary of the kernel table data.
`-u`	Specifies to show an unlimited number of kernel table entries. Important - If the specified kernel table is large, this consumes a large amount of RAM. This can make your Security Gateway unresponsive.
`-v`	Shows the CoreXL FW instance number as a prefix for each line.
`-x [-e <`Entry`>]`	Deletes all entries or the specified entry from the specified kernel table. You can use this parameter only on the local Security Gateway. Caution - If you delete a wrong entry, you can break the current connections through your Security Gateway. This includes the remote SSH connection.
`-y`	Specifies not to show a prompt before Security Gateway executes a command. For example, this applies to the parameters `-a` and `-x`.
`<`Name of Object`>`	Specifies the name of the Security Gateway or Cluster Member object (as defined in SmartConsole), from which to show the information. Use this parameter only on the Management Server. This requires the established SIC with that Check Point computer. If you do not use this parameter, the default is `localhost`.

Example 1 - Show the summary of all kernel tables

[Expert@MyGW:0]# fw tab -s

HOST NAME ID #VALS #PEAK #SLINKS

localhost vsx_firewalled 0 1 1 0

localhost firewalled_list 1 2 2 0

localhost external_firewalled_list 2 0 0 0

localhost management_list 3 2 2 0

localhost external_management_list 4 0 0 0

localhost log_server_list 5 0 0 0

localhost ips1_sensors_list 6 0 0 0

localhost all_tcp_services 7 141 141 0

localhost tcp_services 8 1 1 0

... ...

localhost connections 8158 2 56 2

... ...

localhost up_251_rule_to_clob_uuid 14083 0 0 0

... ...

localhost urlf_cache_tbl 29 0 0 0

localhost proxy_outbound_conn_tbl 30 0 0 0

localhost dns_cache_tbl 31 0 0 0

localhost appi_referrer_table 32 0 0 0

localhost uc_hits_htab 33 0 0 0

localhost uc_cache_htab 34 0 0 0

localhost uc_incident_to_instance_htab 35 0 0 0

localhost fwx_cntl_dyn_ghtab 36 0 0 0

localhost frag_table 37 0 0 0

localhost dos_blacklist_notifs 38 0 0 0

[Expert@MyGW:0]#

Example 2 - Show the raw data from the Connections table

[Expert@MyGW:0]# fw tab -t connections

localhost:

-------- connections --------

dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited

<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1, 00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800, 000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 1996/3600>

<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006> (00000805)

<00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1, 00000000, 5b9679de, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800, 000f9000, 00000080, 00000000, 00000000, 38edaa98, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3597/3600>

<00000001, c0a8cc28, 00000016, c0a8cc01, 0000c9f6, 00000006> -> <00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006> (00000805)

[Expert@MyGW:0]#

Example 3 - Show the formatted data from the Connections table

[Expert@MyGW:0]# fw tab -t connections -f

Using cptfmt

Formatting table's data - this might take a while...

localhost:

Date: Sep 10, 2018

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 55411; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits: 0000780000000000; Expires: 2/40; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53901; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires: 2002/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 53901; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 53901; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 51702; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires: 3600/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 51702; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 51702; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 55411; Protocol: udp; CPTFMT_sep_1: ->; Direction_2: 1; Source_2: 192.168.204.40; SPort_2: 55411; Dest_2: 192.168.204.1; DPort_2: 53; Protocol_2: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

[Expert@MyGW:0]#

Example 4 - Show only two entries from the Connections table

[Expert@MyGW:0]# fw tab -t connections -m 2

localhost:

-------- connections --------

dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited

<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006> (00000805)

...(4 More)

[Expert@MyGW:0]#

Example 5 - Show the raw data from the Connections table and show the IDs of CoreXL FW instances for each entry

[Expert@MyGW:0]# fw tab -t 8158 -v

localhost:

-------- connections --------

dynamic, id 8158, num ents 6, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited

[fw_0] <00000001, c0a80335, 00004710, c0a803f0, 00008652, 00000006> -> <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006> (00000805)

[fw_0] <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006; 0002d001, 00046000, 10000000, 0000000e, 00000000, 5b9a4129, 00030000, 3503a8c0, c0000000, ffffffff, ffffffff, 00000001, 00000001, 00000800, 00000000, 80008080, 00000000, 00000000, 338ea330, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3162/3600>

[fw_0] <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f, 00000000, 5b8fed6a, 00030001, 3503a8c0, c0000000, 00000001, 00000001, ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 337b0978, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3599/3600>

[fw_0] <00000000, c0a803f0, 0000470f, c0a80335, 00008adf, 00000006> -> <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006> (00000806)

[fw_0] <00000001, c0a80334, 00004710, c0a803f0, 0000a659, 00000006> -> <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006> (00000805)

[fw_0] <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f, 00000000, 5b8feabb, 0000007a, 3403a8c0, c0000000, ffffffff, ffffffff, ffffffff, ffffffff, 00000000, 10000000, 04000080, 00000000, 00000000, 3364aed0, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3484/3600>

[fw_1] <00000001, c0a80334, 00004710, c0a803f0, 0000bc74, 00000006> -> <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006> (00000805)

[fw_1] <00000001, c0a80335, 00000016, ac14a810, 0000e056, 00000006> -> <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006> (00000805)

[fw_1] <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006; 0001c001, 00044000, 00000003, 000001df, 00000000, 5b9a3832, 00030000, 3503a8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 33410370, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3600/3600>

[fw_1] <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f, 00000000, 5b8fe89b, 00000001, 3403a8c0, c0000001, ffffffff, ffffffff, ffffffff, ffffffff, 00000000, 10000000, 04000080, 00000000, 00000000, 335841e0, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3600/3600>

[fw_2] <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f, 00000000, 5b8fed7e, 00030000, 3503a8c0, c0000002, 00000001, 00000001, ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 33337660, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3556/3600>

[fw_2] <00000001, c0a80335, 00004710, c0a803f0, 0000ab74, 00000006> -> <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006> (00000805)

[fw_2] <00000001, c0a80335, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011> (00000805)

[fw_2] <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011; 00010001, 00004000, 00000003, 00000028, 00000000, 5b8fed76, 00030000, 3503a8c0, c0000002, 00000001, ffffffff, ffffffff, ffffffff, 00000800, 08000000, 00000084, 00000000, 00000000, 336d4e30, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 38/40>

[fw_2] <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011; 00010001, 00004100, 00000003, 00000028, 00000000, 5b8fed72, 0000025f, 3403a8c0, c0000002, ffffffff, ffffffff, ffffffff, ffffffff, 00000000, 10000000, 04000084, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 39/40>

[fw_2] <00000001, c0a80334, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011> (00000805)

Table fetched in 3 chunks

[Expert@MyGW:0]#