fw tab

Description

Shows data from the specified Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. kernel tables.

This command also changes the content of dynamic kernel tables. You cannot change the content of static kernel tables.

Kernel tables (also known as State tables) store data that the Firewall and other Software Blades use to inspect packets. These kernel tables are a critical component of Stateful Inspection.

Best Practices:

  • Use the "fw tab -t connections -f" command to see the detailed (and more technical) information about the current connections in the Connections kernel table (ID 8158).

  • Use the fw ctl conntab command to see the simplified information about the current connections in the Connections kernel table (ID 8158).

Syntax

fw [-d]

      {-h | -help}

      [-v] [-t <Table>] [-c | -s] [-f] [-z] [-o <Output File>] [-r] [-u | -m <Limit>] [-a -e "<Entry>"] [ -x [-e "<Entry>"]] [-y] [<Name of Object>]

Parameters

Parameter

Description

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

{-h | -help}

Shows the built-in usage.

-t <Table>

Specifies the kernel table by its name of unique ID.

To see the names and IDs of the available kernel tables, run:

fw tab -s

Because the output of this command is very long, we recommend to redirect it to a file. For example:

fw tab -s > /tmp/output.txt

-a -e "<Entry>"

Adds the specified entry to the specified kernel table.

If a kernel table has the expire attribute, when you add an entry with the "-a -e <Entry>" parameter, the new entry gets the default table timeout.

You can use this parameter only on the local Security Gateway.

Warning - If you add a wrong entry, you can make your Security Gateway unresponsive.

-c

Shows formatted kernel table data in the common format. This is the default.

-e "<Entry>"

Specifies the entry in the kernel table.

Important - Each kernel table has its own internal format.

-f

Shows formatted kernel table data. For example, shows:

  • All IP addresses and port numbers in the decimal format.

  • All dates and times in human readable format.

Note - Each table can use a different style.

Important - If the specified kernel table is large, this consumes a large amount of RAM. This can make your Security Gateway unresponsive.

-o <Output File>

Saves the output in the specified file in the CL format as a Check Point Firewall log.

You can later open this file with the fw log command.

If you do not specify the full path explicitly, this command saves the output file in the current working directory.

-m <Limit>

Specifies the maximal number of kernel table entries to show.

This command counts the entries from the beginning of the kernel table.

-r

Resolves IP addresses in the formatted output.

-s

Shows a short summary of the kernel table data.

-u

Specifies to show an unlimited number of kernel table entries.

Important - If the specified kernel table is large, this consumes a large amount of RAM. This can make your Security Gateway unresponsive.

-v

Shows the CoreXLClosed Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instance number as a prefix for each line.

-x [-e <Entry>]

Deletes all entries or the specified entry from the specified kernel table.

You can use this parameter only on the local Security Gateway.

Warning - If you delete a wrong entry, you can break the current connections through your Security Gateway. This includes the remote SSH connection.

-y

Specifies not to show a prompt before Security Gateway executes a command.

For example, this applies to the parameters "-a" and "-x".

-z

In the Connections table (ID 8158) shows only connections in Slow Path (F2FClosed Denotes non-VPN connections that SecureXL forwarded to firewall. See "Firewall Path".) and the reason why acceleration is not possible for each connection.

These are connections that SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. cannot accelerate and forwards to the Firewall.

See the corresponding example (with the legend) below.

<Name of Object>

Specifies the name of the Security Gateway or Cluster MemberClosed Security Gateway that is part of a cluster. object (as defined in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.), from which to show the information. Use this parameter only on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

This requires the established SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. with that Check Point computer.

If you do not use this parameter, the default is localhost.

Example 1 - Show the summary of all kernel tables

[Expert@MyGW:0]# fw tab -s
HOST                  NAME                                ID #VALS #PEAK #SLINKS
localhost             vsx_firewalled                       0     1     1       0
localhost             firewalled_list                      1     2     2       0
localhost             external_firewalled_list             2     0     0       0
localhost             management_list                      3     2     2       0
localhost             external_management_list             4     0     0       0
localhost             log_server_list                      5     0     0       0
localhost             ips1_sensors_list                    6     0     0       0
localhost             all_tcp_services                     7   141   141       0
localhost             tcp_services                         8     1     1       0
... ...
localhost             connections                       8158     2    56       2
... ...
localhost             up_251_rule_to_clob_uuid         14083     0     0       0
... ...
localhost             urlf_cache_tbl                      29     0     0       0
localhost             proxy_outbound_conn_tbl             30     0     0       0
localhost             dns_cache_tbl                       31     0     0       0
localhost             appi_referrer_table                 32     0     0       0
localhost             uc_hits_htab                        33     0     0       0
localhost             uc_cache_htab                       34     0     0       0
localhost             uc_incident_to_instance_htab        35     0     0       0
localhost             fwx_cntl_dyn_ghtab                  36     0     0       0
localhost             frag_table                          37     0     0       0
localhost             dos_blacklist_notifs                38     0     0       0
[Expert@MyGW:0]#

Example 2 - Show the raw data from the Connections table

[Expert@MyGW:0]# fw tab -t connections
localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1, 00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800, 000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 1996/3600> 
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006> (00000805)
<00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1, 00000000, 5b9679de, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800, 000f9000, 00000080, 00000000, 00000000, 38edaa98, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3597/3600> 
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000c9f6, 00000006> -> <00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006> (00000805)
[Expert@MyGW:0]#

Example 3 - Show the formatted data from the Connections table

[Expert@MyGW:0]# fw tab -t connections -f
 Using cptfmt
Formatting table's data - this might take a while...
 
localhost:
 Date: Sep 10, 2018
 20:30:48 5 N/A  N/A    192.168.204.40 > N/A  LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv;  : (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
 
 20:30:48 5 N/A  N/A    192.168.204.40 > N/A  LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 55411; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits: 0000780000000000; Expires: 2/40; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
 
 20:30:48 5 N/A  N/A    192.168.204.40 > N/A  LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53901; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires: 2002/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
 
 20:30:48 5 N/A  N/A    192.168.204.40 > N/A  LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 53901; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 53901; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
 
 20:30:48 5 N/A  N/A    192.168.204.40 > N/A  LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 51702; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires: 3600/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
 
 20:30:48 5 N/A  N/A    192.168.204.40 > N/A  LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 51702; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 51702; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
 
 20:30:48 5 N/A  N/A    192.168.204.40 > N/A  LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 55411; Protocol: udp; CPTFMT_sep_1: ->; Direction_2: 1; Source_2: 192.168.204.40; SPort_2: 55411; Dest_2: 192.168.204.1; DPort_2: 53; Protocol_2: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
[Expert@MyGW:0]#

Example 4 - Show only two entries from the Connections table

[Expert@MyGW:0]# fw tab -t connections -m 2
localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1, 00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800, 000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 1961/3600> 
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006> (00000805)
...(4 More)
[Expert@MyGW:0]#

Example 5 - Show the raw data from the Connections table and show the IDs of CoreXL Firewall instances for each entry

[Expert@MyGW:0]# fw tab -t 8158 -v
localhost:
-------- connections --------
dynamic, id 8158, num ents 6, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
[fw_0] <00000001, c0a80335, 00004710, c0a803f0, 00008652, 00000006> -> <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006> (00000805)
[fw_0] <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006; 0002d001, 00046000, 10000000, 0000000e, 00000000, 5b9a4129, 00030000, 3503a8c0, c0000000, ffffffff, ffffffff, 00000001, 00000001, 00000800, 00000000, 80008080, 00000000, 00000000, 338ea330, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3162/3600> 
[fw_0] <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f, 00000000, 5b8fed6a, 00030001, 3503a8c0, c0000000, 00000001, 00000001, ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 337b0978, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3599/3600> 
[fw_0] <00000000, c0a803f0, 0000470f, c0a80335, 00008adf, 00000006> -> <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006> (00000806)
[fw_0] <00000001, c0a80334, 00004710, c0a803f0, 0000a659, 00000006> -> <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006> (00000805)
[fw_0] <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f, 00000000, 5b8feabb, 0000007a, 3403a8c0, c0000000, ffffffff, ffffffff, ffffffff, ffffffff, 00000000, 10000000, 04000080, 00000000, 00000000, 3364aed0, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3484/3600> 
[fw_1] <00000001, c0a80334, 00004710, c0a803f0, 0000bc74, 00000006> -> <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006> (00000805)
[fw_1] <00000001, c0a80335, 00000016, ac14a810, 0000e056, 00000006> -> <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006> (00000805)
[fw_1] <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006; 0001c001, 00044000, 00000003, 000001df, 00000000, 5b9a3832, 00030000, 3503a8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 33410370, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3600/3600> 
[fw_1] <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, 0000000f, 00000000, 5b8fe89b, 00000001, 3403a8c0, c0000001, ffffffff, ffffffff, ffffffff, ffffffff, 00000000, 10000000, 04000080, 00000000, 00000000, 335841e0, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3600/3600> 
[fw_2] <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000, 0000000f, 00000000, 5b8fed7e, 00030000, 3503a8c0, c0000002, 00000001, 00000001, ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 33337660, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3556/3600> 
[fw_2] <00000001, c0a80335, 00004710, c0a803f0, 0000ab74, 00000006> -> <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006> (00000805)
[fw_2] <00000001, c0a80335, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011> (00000805)
[fw_2] <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011; 00010001, 00004000, 00000003, 00000028, 00000000, 5b8fed76, 00030000, 3503a8c0, c0000002, 00000001, ffffffff, ffffffff, ffffffff, 00000800, 08000000, 00000084, 00000000, 00000000, 336d4e30, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 38/40> 
[fw_2] <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011; 00010001, 00004100, 00000003, 00000028, 00000000, 5b8fed72, 0000025f, 3403a8c0, c0000002, ffffffff, ffffffff, ffffffff, ffffffff, 00000000, 10000000, 04000084, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 39/40> 
[fw_2] <00000001, c0a80334, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011> (00000805)
Table fetched in 3 chunks
[Expert@MyGW:0]#

Example 6 - Show only Slow Path (F2F) entries from the Connections table

Column

Description

Dir

The direction of the connection:

  • 0 - Client to Server (request)

  • 1 - Server to Client (response).

Source IP

Source IP address of the connection.

SPort

Source Port of the connection.

See IANA Service Name and Port Number Registry.

Destination IP

Destination IP address of the connection

DPort

Destination Port of the connection.

See IANA Service Name and Port Number Registry.

PR

Protocol number of the connection:

  • 6 - TCP

  • 17 - UDP

See IANA Protocol Numbers

FW State

Connection state in the Firewall.

Expires

How many seconds remain before the connection expires (based on the maximum expiration time).

Also, refer to the "Duration" column.

For example, 1990/3600 means:

  • The maximum expiration time is 3600 seconds.

  • If the connection remains idle for the next 1990 seconds, it expires from the Firewall Connections table.

SXL ID

SecureXL Instance ID.

Currently not used.

Reason

Reason for why SecureXL cannot accelerate this connection.

Total Pkts

The number of packets transferred in this connection.

Total Bytes

The number of bytes transferred in this connection.

Duration

How many seconds this connection is open.

Also, refer to the "Expires" column.

Last Seen

How many seconds passed since the last packet transferred in this connection.

 
[Expert@MyGW:0]# fw tab -t connections -z
Dir  Source IP        SPort  Destination IP   DPort  PR  FW State         Expires        SXL ID  Reason                            Total Pkts  Total Bytes  Duration    Last Seen
---  ---------------  -----  ---------------  -----  --  ---------------  -------------  ------  --------------------------------  ----------  -----------  ----------  -----------
1    172.23.7.34      60660  172.23.39.5      53     17  UDP              3/40           N/A     Local connection                  2           601B         37s         37s
1    172.23.7.34      22     172.20.38.105    65509  6   Link
0    172.20.38.105    64285  172.23.7.34      22     6   TCP Estab.       3600/3600      N/A     Local incoming connection         192         20.16KB      38s         0s
0    172.23.7.86      67     255.255.255.255  68     17  UDP              30/40          N/A     Local incoming connection         556         178.09KB     107h58m33s  9s
0    172.20.38.105    65509  172.23.7.34      22     6   TCP Estab.       1990/3600      N/A     Local incoming connection         122         27.15KB      107h58m27s  107h53m54s
0    0.0.0.0          0      224.0.0.1        0      2   IGMP             21/60          N/A     Local incoming connection         1           36B          107h27m43s  107h27m43s
1    172.23.7.34      22     172.20.38.105    64285  6   Link
0    172.23.39.5      53     172.23.7.34      60660  17  Link
0    172.23.39.5      53     172.23.7.34      60048  17  Link
1    172.23.7.34      18192  172.23.7.32      47062  6   Link
0    172.20.38.105    64286  172.23.7.34      22     6   TCP Estab.       3567/3600      N/A     Local incoming connection         44          10.58KB      33s         33s
0    172.23.7.32      47062  172.23.7.34      18192  6   TCP Estab.       3591/3600      N/A     Local incoming connection         40          12.57KB      9s          9s
1    172.23.7.34      60048  172.23.39.5      53     17  UDP              2/40           N/A     Local connection                  2           602B         38s         38s
1    172.23.7.34      22     172.20.38.105    64286  6   Link
1    172.23.7.34      52786  172.23.39.5      53     17  UDP              2/40           N/A     Local connection                  2           553B         38s         38s
[Expert@MyGW:0]#