fw ctl conntab

Description

Shows formatted list of current connections from the Connections kernel table (ID 8158).

Use this command if you want to see the simplified information about the current connections.

Best Practices:

Use the "fw ctl conntab" command to see the simplified information about the current connections.
Use the "fw tab -t connections -f" command (fw tab) to see the detailed (and more technical) information about the current connections.

Important:

You can run this command in the Expert mode or in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). (Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish on Scalable Platforms).
On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

Syntax

Important - You can specify many parameters at the same time.

fw ctl conntab {-h | -help}

fw [-d] ctl conntab [-x]

-sip=<Source IP Address in Decimal Format>

-sport=<Port Number in Decimal Format>

-dip=<Destination IP Address>

-dport=<Port Number in Decimal Format>

-proto=<Protocol Number in Decimal Format>

-service=<Name of Service>

-rule=<Rule Number in Decimal Format>

-state=<State>

-type=<Type>

-flags=<Flags>

Parameters

Parameter

Description

-h

-help}

Shows the built-in usage.

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-x

Deletes entries that match the specified filters.

Without this parameter, the command only shows entries that match the specified filters.

-sip=<Source IP Address in Decimal Format>

Filters the output by the specified Source IP address.

Note - The value can be a range of IP addresses:

<IP_address_1>-<IP_address_2>

Examples:

-sip=192.168.3.57

-sip=192.168.3.55-192.168.3.66

-sport=<Port Number in Decimal Format>

Filters the output by the specified Source Port number.

See IANA Service Name and Port Number Registry.

Note - The value can be a range of port numbers:

<port_1>-<port_2>

Examples:

-sport=35598
-sport=33000-33320

-dip=<Destination IP Address in Decimal Format>

Filters the output by the specified Destination IP address.

Note - The value can be a range of IP addresses:

<IP_address_1>-<IP_address_2>

Examples:

-dip=192.168.3.57
-dip=192.168.3.55-192.168.3.66

-dport=<Port Number in Decimal Format>

Filters the output by the specified Destination Port number.

See IANA Service Name and Port Number Registry.

Note - The value can be a range of port numbers:

<port_1>-<port_2>

Examples:

-dport=80
-dport=80-88

-proto=<Protocol Number in Decimal Format>

Filters the output by the specified Protocol number.

See IANA Protocol Numbers.

Notes:

For the protocols TCP, UDP, and ICMP, you can also specify the protocol name in all lowercase letters (tcp, udp, icmp) or all uppercase letters (TCP, UDP, ICMP).
For protocols other than TCP, UDP, and ICMP, you must specify the protocol number.

Examples:

-proto=6

-proto=TCP

Filters the output for TCP.
-proto=11

-proto=UDP

Filters the output for UDP.
-proto=1

-proto=ICMP

Filters the output for ICMP.

-service=<Name of Service>

Filters the output by the specified Service name.

Notes:

You must use the string that appears in the output of this command "fw ctl conntab" or the service name that appears in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
You can also use the service number that appears in the output of this command "fw ctl conntab".

Examples:

-service=http
-service=https
-service=391

-rule=<Rule Number in Decimal Format>

See your Access Control Policy in SmartConsole, or in the output of the command.

Note - The value can be a range of rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. numbers:

<rule_1>-<rule_2>

Examples:

-rule=1
-rule=5-8

-state=<State>

Filters the output by the specified TCP State:

-state=SYN_SENT

Filters the output for TCP connections with SYN.
-state=SYN_ACK

Filters the output for TCP connections with SYN-ACK.
-state=ESTABLISHED

Filters the output for established TCP connections.
-state=SRC_FIN

Filters the output for TCP connections with SYN-FIN from a source.
-state=DST_FIN

Filters the output for TCP connections with SYN-FIN from a destination.
-state=BOTH_FIN

Filters the output for TCP connections with SYN-FIN from both a source and a destination.

Notes:

You can specify the value in all lowercase letters or all uppercase letters.
The parameter "-state" is not supported together with the parameters "-type" or "-flags".

-type=<Type>

Filters the output by the specified Connection Type bitmask.

Note - The parameter "-type" is not supported together with the parameter "-state".

To see the Connection Type bitmask value of a connection entry:

Run:

fw tab -u -t connections

Immediately after the tuple, after the semi-colon, refer to the first value.

In sk65133, this value is denoted as "R_CTYPE".

You must specify Type bitmask in this format:

-type=0x<Bits to Select>/0x<Value of 'R_CTYPE'>

Where:

0x<Value of 'R_CTYPE'>

Specifies the "r_ctype" value of a connection entry.
0x<Bits to Select>

Specifies the bits that should be selected out of the "R_CTYPE" value.

-type=<Flags>

Filters the output by the specified Connection Flag bitmask.

Note - The parameter "-flags" is not supported together with the parameter "-state".

To see the Connection Flag bitmask value of a connection entry:

Run:

fw tab -u -t connections

Immediately after the tuple, after the semi-colon, refer to the second value.

In sk65133, this value is denoted as "R_CFLAGS".

You must specify Type bitmask in this format:

-type=0x<Bits to Select>/0x<Value of 'R_CFLAGS'>

Where:

0x<Value of 'R_CFLAGS'>

Specifies the "R_CFLAGS" value of a connection entry.
0x<Bits to Select>

Specifies the bits that should be selected out of the "r_ctype" value

Examples

Example 10 - Formatted detailed output from the Connections table (for comparison)

[Expert@MyGW:0]# fw tab -t connections -f

Formatting table's data - this might take a while...

localhost:

Date: Sep 10, 2018

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 54201; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: -1; Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 54201; Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 54201; Dest_1: 192.168.204.1; DPort_1: 53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 54201; Protocol: tcp; CPTFMT_sep_1: ->; Direction_2: 0; Source_2: 192.168.204.1; SPort_2: 54201; Dest_2: 192.168.204.40; DPort_2: 22; Protocol_2: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 54201; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires: 3596/3600; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 44966; Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 44966; Dest_1: 192.168.204.1; DPort_1: 53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 44966; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

[Expert@MyGW:0]#