rtm monitor

Description

Starts the monitoring process for an interface or a Virtual Link on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / each Cluster MemberClosed Security Gateway that is part of a cluster..

If options and grouping are not used, this command monitors all traffic, on all interfaces, in both directions.

Syntax

rtm monitor vl <Virtual_Link_Name> [-t {wire | application}] [-h <Module>]

rtm monitor <Key_1> [<Key_2> [<Key_3>] [<Key_4>]] <Value_Column_1> [<Value_Column_2> [<Value_Column_3>] [<Value_Column_4>] [<Value_Column_5>] [<Value_Column_6>]] [<Filter>] [<Options>]

Parameters

Parameter

Description

No Parameters

Shows the built-in usage and examples.

<Virtual_Link_Name>

Specifies the name of the monitored Virtual Link.

-t {wire | application}

Specifies how to show the data:

  • wire - Shows the data on the wire after compression, or encryption.

  • application - Shows the data as the application sees it (not compressed and not encrypted).

-h <Module>

Specifies the Security Gateway by its IP address, or resolvable hostname.

<Key_1> [... [<Key_4>]]

Specifies up to four keys in this format:

-k <Key_Type> [<Key_Atrr>] [<Entity_1> ... <Entity_N>]

 

The <Key_Type> can be one of these:

<Value_Column_1> [... [<Value_Column_6>]]

Specifies up to six column values in this format:

-v <Value Type> [<Accumulate Mode>] [<Sort Mode>] [<Direction Filter>] [<Encryption Filter>]

 

  • The <Value Type> can be one of these:

    • ab - Shows application bytes

    • conn - Shows connections

    • pkt - Shows packets

    • session - Shows sessions

    • wb - Shows wire-bytes

 

  • The <Accumulate Mode> can be one of these:

    • If <Value Type>=ab:

      • acc=lineUtil

      • acc=rate (default)

      • acc=sum

    • If <Value Type>=conn:

      • acc=concurrent (default)

      • acc=new

    • If <Value Type>=pkt:

      • acc=rate (default)

      • acc=sum

    • If <Value Type>=session:

      • acc=new

    • If <Value Type>=wb:

      • acc=lineUtil

      • acc=rate (default)

      • acc=sum

 

  • The <Sort Mode> can be one of these:

    • sort=top (default for all views)

    • sort=bottom

    • sort=none (default for specific views)

 

  • The <Direction Filter> can be one of these:

    • dir=in

    • dir=out

    • dir=both (default)

 

  • The <Encryption Filter> can be one of these:

    • enc=yes

    • enc=no

    • enc=both (default)

<Filter>

Specifies the filter that can be one of these:

  • For the atom filter:

    -f <Filter_Type> [not] [<Entity_1> ... <Entity_N>]

  • For the hierarchy filter:

    -f {and | or} [...]

 

The <Filter_Type> can be one of these:

  • connId - Monitors according to a connection ID.

  • dst - Monitors according to a network object (destination only).

  • fgrule - Monitors according to a QoS Policy rule.

  • fwrule - Monitors according to an Access Control Policy rule.

  • interface - Monitors according to an interface.

    Use comma ","to specify the direction for the interface filter:

    ,{in|out|both}

    Default is both.

  • ip - Monitors according to a network object (source and destination).

  • orientation - Monitors according to connection's direction.

  • src - Monitors according to a network object (source only).

  • svc - Monitors according to a service (for example, http).

  • tunnel - Monitors according to a VPN tunnel.

  • tunnelType - Monitors according to a VPN tunnel type:

    • 0 - reserved

    • 1 - regular

    • 2- permanent

  • url [<URL_Mode>] - Monitors according to a URL.

    The <URL_Mode> can be one of these:

    • url_mod=full (default)

    • url_mod=host

    • url_mod=host_path

    • url_mod=path

    • url_mod=scheme

    • url_mod=scheme_host

  • wdAttack - Monitors according to web defense attacks.

<Options>

Specifies these options:

  • -e <Export File Name>

    Specifies the path and the name of the file, in which the command saves its output.

  • -h <Module>

    Specifies the Security Gateway by its IP address, or resolvable hostname.

    Default is localhost.

  • -i <Interval in Seconds>

    The command runs in the loop and shows the output every specified number of seconds.

    Default is 2 sec.

  • -m {raw | resolve | both}

    Specifies how to resolve the names.

    Default is both.

  • -s {top | bottom | none} [index=<1...6>] [updates=<1...200>]

    Specifies how to sort the output.

    If you specify none, the defaults are:

    index=1 and updates=50.

Notes

  • Use the tilde character "~~" to specify a subrule (rule~~subrule).

    To monitor for the QoS Policy, use: rule~~fgrule

  • The specified entities correspond to the specified grouping option.

    For example, if the monitoring process works according to a service (svc), add all the monitored services, separated by a space.

Examples

This command shows top services (based on bytes per seconds) on external interfaces in the inbound direction:

rtm monitor -f interface external,in -k svc -v wb

This command shows top Access Control rules (based on average concurrent connections):

rtm monitor -k fwrule -v conn acc=concurrent

This command shows Individual HTTP connections (bytes per second):

rtm monitor -f svc http -k svc -k connId -v wb

This command shows bottom inbound IP addresses versus outbound IP addresses (based on packets per interval):

rtm monitor -k ip -v pkt dir=in acc=sum -v pkt dir=out acc=sum -v pkt acc=sum sort=bottom -i 10

This command shows top tunnels (based on average concurrent connections):

rtm monitor -f tunnelType not 0 -k tunnel -k tunnelType -v conn -m resolve

This command shows packet size distribution (based on packets per interval):

rtm monitor -k pktRange 0-99 100-499 500-999 1000-1999 ">2000" -v pkt acc=sum -i 1

This command shows top URLs (based on sessions per seconds) - host part only:

rtm monitor -k url url_mod=host -v session