connview

Description

A tool for advanced troubleshooting that shows information about the current connections through the Security Gateway that works in the User Space Firewall (USFW, see sk167052).

This tool shows the consolidated information about connections from various Check Point modules that processed these connections (Firewall, Streaming, Parsers, Connection Tracker, and so on).

This tool gets the data about connections from all CoreXL Firewall instances in parallel, and in small quick chunks, so the packet flow is not blocked.

Notes:

  • You can run this command in Gaia Clish or in the Expert mode.

  • On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

  • On a VSNext Gateway / Legacy VSX Gateway, you must run this command in the context of the applicable Virtual Gateway / Virtual System:

    vsenv <ID>

  • You can also run the corresponding Gaia API command.

    See one of these Gaia API References:

    • Online Check Point Gaia API Reference v1.8 and higher - section "Diagnostics" > section"Connections" > command "show-connections".

    • Local Gaia API Reference (v1.8 and higher) on your Gaia server:

      https://<IP Address of Gaia Server>/gaia_docs/#web/show-connections

  • This tool saves its logs in the $FWDIR/log/connview.elg file.

    In addition, refer to log entries "connview" in the $FWDIR/log/fwk.elg file.

Syntax for Gaia Clish

show connview [{summary | history | verbose}]

Syntax for the Expert mode

[Expert@GW:0]# connview {-h | -? | --help}

[Expert@GW:0]# connview --usage

[Expert@GW:0]# connview <Parameter> [{summary | verbose | history}]

Parameters

Parameter

Description

-h

-?

--help

Shows the complete built-in help.

--usage

Shows the shortened built-in help.

--adv-filter=<Component>:<Field>=<Value>

Filters the connections by the value of a specific field in a reporting component (Conn Stats, PSL, MUX, WS, and so on).

For the full list, run:

connview --adv-filter -h

Example for querying the component "Conn Stats", whose field "Is Heavy Conn" contains the value "Yes":

connview --adv-filter=conn_stats:is_heavy_conn=yes

-c <Component1>,<Component2>,...,<ComponentN>

--component=<Component1>,<Component2>,...,<ComponentN>

Filters the connections by the specified components (Conn Stats, PSL, MUX, WS, and so on).

For the full list, run:

connview -c -h

Example for querying the components "Application Control" and "HTTPS Inspection":

connview -c application_control,httpsi

--src=<IP Address>

Filters the connections by the specified source IP address.

--src-port=<Port Number>

Filters the connections by the specified source port number.

See IANA Service Name and Port Number Registry.

--dst=<IP Address>

Filters the connections by the specified destination IP address.

--dst-port=<Port Number>

Filters the connections by the specified destination port number.

See IANA Service Name and Port Number Registry.

--format={text | json}

Specifies the output format - text (default) or JSON.

--ip-prot=<Protocol Number>

Filters the connections by the specified protocol number.

See IANA Protocol Numbers.

--ip-ver={v4 | v6}

Filters the connections by the specified IP version - IPv4 or IPv6.

By default, this tool shows IPv4 and IPv6 connections.

-i <ID1>,<ID2>,...<IDn>

--instance-id=<ID1>,<ID2>,...<IDn>

Filters the connections by the specified CoreXL Firewall instances.

To see the IDs of CoreXL Firewall instances, run:

fw ctl multik stat

fw6 ctl multik stat

-m {all | <Number>}

--max-results={all | <Number>}

Specifies the number of first connections to show for each CoreXL Firewall instance.

  • The value "all" shows all connections.

    May increase memory and CPU load.

  • Default: 5 connections for each CoreXL Firewall instance.

-p <Preset1>,<Preset2>,...,<PresetN>

--preset=<Preset1>,<Preset2>,...,<PresetN>

Applies a predefined configuration to this command to run a predefined syntax for various query scenarios.

For the full list, run:

connview -p -h

Example for querying the presets for "conn_keys" and "heavy":

connview -p conn_keys,heavy

--vs={all | <ID>}

Filters the connections by the specified virtual context ID.

If you do not specify this parameter, the this tool shows the data only for the current virtual context.

  • In the VSNext mode:

    Filters the connections by the specified Virtual Gateway ID.

    To see the IDs of Virtual Gateways, run one of these:

    • In Gaia Clish:

      show vsnext overview virtual-systems

    • Gaia API:

      show-virtual-gateways

  • In the Traditional VSX mode:

    Filters the connections by the specified Virtual System ID.

    To see the IDs of Virtual Systems, run one of these:

    • In the Expert mode:

      vsx stat -v

      vsx stat -l

    • In Gaia Clish:

      show virtual-system all

{summary | verbose | history}

Optional. Specifies the output verbosity:

  • summary

    Shows only a short summary.

  • verbose

    Shows all information.

  • history

    Shows the history information (collected by the tp_collector_cli‎ tool).

    The "Event Report Time" is the time when the record was last updated.

    Usually, a record is updated at the end (or close to the end) of the connection.

    The history information is limited by the data files $FWDIR/log/tp_collector.dat (by default, a maximum of 10 files, ‎‎20 MB each file, update cyclically.)‎.

Example 1 - Verbose output (this is the default level)

[Expert@GW:0]# connview

... ... ...

Connection Key: 192.168.22.33:42516 -> 172.16.44.55:80 IPP 6
Instance: 12
Conn Stats
        Create Time: 2024-09-13 12:12:09        Last Packet Time: 2024-09-13 12:12:09
        Is Accelerated: Yes                     Reason: Failed to get native SXL device
        Is Fast Accel: No                       Is Heavy Conn: No
        Total Packets: 3                        Total Bytes: 132
        CPU Util.
                FW Instance Load: 0%    PPE WT Load: 0%
PSL
        Path: Pipeline processing       Flags: 0x4005301
        InZone: INTERNAL_ZONE           OutZone: INTERNAL_ZONE
        C2S Side
                TCP State
                        State: PSL_TCP_ESTABLISHED      Number of segments: 0
                        Hold: 0                         Side flags: 0x124
        S2C Side
                TCP State
                        State: PSL_TCP_ESTABLISHED      Number of segments: 0
                        Hold: 0                         Side flags: 0x20
        Application info
                MUX_PASSIVE Flags: 0x13
MUX
        Mux opaque: 0x7fb0066a2c08
        Info
                Streaming Mode: PSL     Num of registered apps: 3
                Ref count: 2            Mux state flags: VM_CONN_WAS_SET, INSPECT_C2S, INSPECT_S2C
                PPE
                        Inflight messages: 0    PSL jobs: 0
                        PM jobs: 0              MD5 jobs: 0
                        CIFS jobs: 0
                Bytes Stats
                        S2C Pending data: No    C2S Pending data: No
                        Read bytes: 0           Write bytes: 0
                        Skip bytes: 0           Pending bytes: 0
                Apps
                        PARSERS_IS
                                C2S byte skip: 0        S2C byte skip: 0
                                Read bytes: 0           Write bytes: 0
                                App flags: INSPECT_BOTH
                        WS
                                C2S byte skip: 0        S2C byte skip: 0
                                Read bytes: 0           Write bytes: 0
                                App flags: INSPECT_BOTH
                        ADVP
                                C2S byte skip: 0        S2C byte skip: 0
                                Read bytes: 0           Write bytes: 0
                                App flags: INSPECT_BOTH
WS
        Packets counter: 0                      Connection type: 0
        Apps in exception: 35184372086772
ADVP
        Opaque: 0x7fb006b0e988  Flags: 0x84
        Contexts Status
                Is C2S HS Context Active: Yes   Is S2C HS Context Active: Yes
                Is C2S RAW Context Active: No   Is S2C RAW Context Active: No
                Is C2S DATA Context Active: Yes Is S2C DATA Context Active: No
        Client Stream
                Packet Index: 0 Stream Length: 0
        Server Stream
                Packet Index: 0 Stream Length: 0
Policy Info
        Access rulebase
                Matched Access Rule number: 1
Connection Tracker
        Flags: 0        Resource: N/A
        | TS                  | Point ID                              | Severity | Opaque |
        ------------------------------------------------------------------------------------
        | 2024-09-13 12:12:09 | Connection created from template      | INFO     | 0      |
        | 2024-09-13 12:12:09 | cpxl_chain_handler                    | INFO     | 0      |
        | 2024-09-13 12:12:09 | PSL in Pipeline Processing path       | INFO     | 0      |
        | 2024-09-13 12:12:09 | OSP: Will calculate backup member now | INFO     | 0      |
        | 2024-09-13 12:12:09 | cpxl_chain_handler                    | INFO     | 0      |
        | 2024-09-13 12:12:09 | PSL in Pipeline Processing path       | INFO     | 0      |
        | 2024-09-13 12:12:12 | OSP: Will calculate backup member now | INFO     | 0      |
        | 2024-09-13 12:12:12 | OSP: Will calculate backup member now | INFO     | 0      |

... ... ...
[Expert@GW:0]#

Example 2 - Summary output

[Expert@GW:0]# connview summary
Conn Stats
        Total Connections: 5031 Total Heavy Connections: 0
MUX
        Total connections: 2074         Accelerated pipeline path connections: 1710
        Medium path connections: 0      Slow path connections: 364
[Expert@GW:0]#

Example 3 - History output (limited to 2 connections)

[Expert@GW:0]# connview -m 2 history

Connection Key: 192.168.22.33:27363 -> 172.16.44.55:53 IPP 17
Instance: 0
Event Report Time: 09/12 10:15:44
Session: 0
MALWARE_RES_REP
        Context: 202                    RAD Cache Miss: Yes
        RAD Timeout: 10:15:44           Rad Query Failure: Yes
        Session ended with error: Yes   url: www.somedomainname.com

Connection Key: 192.168.22.34:27351 -> 172.16.44.55:53 IPP 17
Instance: 9
Event Report Time: 09/12 10:15:44
Session: 0
MALWARE_RES_REP
        Context: 202                    RAD Cache Miss: Yes
        RAD Timeout: 10:15:44           Rad Query Failure: Yes
        Session ended with error: Yes   url: www.somedomainname.com

[Expert@GW:0]#