fw ctl conntab

Description

Shows formatted list of current connections from the Connections kernel table (ID 8158).

Use this command if you want to see the simplified information about the current connections.

Best Practices:

Use the "fw ctl conntab" command to see the simplified information about the current connections.
Use the "fw tab -t connections -f" command (fw tab) to see the detailed (and more technical) information about the current connections.

Important:

You can run this command in the Expert mode or in Gaia Clish (Gaia gClish on Scalable Platforms).
On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

Syntax

Important - You can specify many parameters at the same time.

fw ctl conntab {-h | -help}

fw [-d] ctl conntab [-x]

-sip=<Source IP Address in Decimal Format>

-sport=<Port Number in Decimal Format>

-dip=<Destination IP Address>

-dport=<Port Number in Decimal Format>

-proto=<Protocol Number in Decimal Format>

-service=<Name of Service>

-rule=<Rule Number in Decimal Format>

-state=<State>

-type=<Bitmask for 'R_CTYPE'>

-flags=<Bitmask for 'R_CFLAGS'>

Parameters

Parameter

Description

-h

-help

Shows the built-in usage.

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

-x

Deletes entries that match the specified filters.

Without this parameter, the command only shows entries that match the specified filters.

-sip=<Source IP Address in Decimal Format>

Filters the output by the specified Source IP address.

Note - The value can be a range of IP addresses:

<IP_address_1>-<IP_address_2>

Examples:

-sip=192.168.3.57

-sip=192.168.3.55-192.168.3.66

-sport=<Port Number in Decimal Format>

Filters the output by the specified Source Port number.

See IANA Service Name and Port Number Registry.

Note - The value can be a range of port numbers:

<port_1>-<port_2>

Examples:

-sport=35598
-sport=33000-33320

-dip=<Destination IP Address in Decimal Format>

Filters the output by the specified Destination IP address.

Note - The value can be a range of IP addresses:

<IP_address_1>-<IP_address_2>

Examples:

-dip=192.168.3.57
-dip=192.168.3.55-192.168.3.66

-dport=<Port Number in Decimal Format>

Filters the output by the specified Destination Port number.

See IANA Service Name and Port Number Registry.

Note - The value can be a range of port numbers:

<port_1>-<port_2>

Examples:

-dport=80
-dport=80-88

-proto=<Protocol Number in Decimal Format>

Filters the output by the specified Protocol number.

See IANA Protocol Numbers.

Notes:

For the protocols TCP, UDP, and ICMP, you can also specify the protocol name in all lowercase letters (tcp, udp, icmp) or all uppercase letters (TCP, UDP, ICMP).
For protocols other than TCP, UDP, and ICMP, you must specify the protocol number.

Examples:

-proto=6

-proto=TCP

Filters the output for TCP.
-proto=11

-proto=UDP

Filters the output for UDP.
-proto=1

-proto=ICMP

Filters the output for ICMP.

-service=<Name of Service>

Filters the output by the specified Service name.

Notes:

You must use the string that appears in the output of this command "fw ctl conntab" or the service name that appears in SmartConsole.
You can also use the service number that appears in the output of this command "fw ctl conntab".

Examples:

-service=http
-service=https
-service=391

-rule=<Rule Number in Decimal Format>

See your Access Control Policy in SmartConsole, or in the output of the command.

Note - The value can be a range of rule numbers:

<rule_1>-<rule_2>

Examples:

-rule=1
-rule=5-8

-state=<State>

Filters the output by the specified TCP State:

-state=SYN_SENT

Filters the output for TCP connections with SYN.
-state=SYN_ACK

Filters the output for TCP connections with SYN-ACK.
-state=ESTABLISHED

Filters the output for established TCP connections.
-state=SRC_FIN

Filters the output for TCP connections with SYN-FIN from a source.
-state=DST_FIN

Filters the output for TCP connections with SYN-FIN from a destination.
-state=BOTH_FIN

Filters the output for TCP connections with SYN-FIN from both a source and a destination.

Notes:

You can specify the value in all lowercase letters or all uppercase letters.
The parameter "-state" is not supported together with the parameter "-type" or "-flags".

-type=0x<Value>/0x<Bitmask>

Filters the output by the specified Connection "Type" bitmask for the "R_CTYPE" number that is described in sk65133:

"R_CTYPE" is a set of independent 8 hexadecimal digits that represent IP compression, TCP state, VPN information, and VPN mode.
In "R_CTYPE", each hexadecimal digit is between 0 and F and is represented by 4 binary digits between 0000 and 1111.

In the syntax "-type=0x<Value>/0x<Bitmask>":

0x<Value>

Specifies the binary digits that must be set ("1") or that must not be set ("0") in the binary digits that you examine in the "R_CTYPE" number.

You must convert the required set of binary digits to the hexadecimal format.
0x<Bitmask>

Specifies the binary digits to examine in the "R_CTYPE" number.

You must convert the required set of binary digits to the hexadecimal format.

Procedure:

Get all current connections:

fw tab -u -t connections > /var/log/fw_tab_connections.txt

In the applicable connections, immediately after the tuple, after the semi-colon, refer to the first number.

In sk65133, this number is denoted as "R_CTYPE".

Select the relevant connections:

fw ctl conntab -type=0x<Value>/0x<Bitmask>

Notes:

You can specify the hexadecimal digits in all lowercase letters or all uppercase letters.
The parameter "-type" is not supported together with the parameter "-state".

Example 1 for "-type":

The "R_CTYPE" number "XX0XXXX(0001)_bin" = "XX0XXXX(1)_hex" means:

The connection is not inside a VPN community.
The connection is not encrypted.

Algorithm:

In a given "R_CTYPE" number "XXXXXXXX", it is necessary to examine the 8th hexadecimal digit from the left (to examine its 4 binary bits):

"XXXXXXX(X)_hex" = "XXXXXXX(XXXX)_bin"
Therefore, in "0x<Bitmask>" we must use "1111"_bin = "F"_hex.
To take into account only the first binary digit (from the right) in these four binary digits, in "0x<Value>" we must use "0001"_bin = "1"_hex.

Therefore, this is the final syntax that selects all connections that are not encrypted:

fw ctl conntab -type=0x00000001/0x0000000F

Example 2 for "-type":

The "R_CTYPE" number "XX0(1)_hexXXXX" = "XX0(0001)_binXXXX" means the direction of this connection is Client-to-Server.

This syntax selects all connections that are Client-to-Server:

fw ctl conntab -type=0x00010000/0x00010000

This syntax selects all connections that are not Client-to-Server:

fw ctl conntab -type=0x00000000/0x00010000

Example 3 for "-type":

This syntax selects all connections that:

are Client-to-Server ("XX0(1)_hexXXXX" = "XX0(0001)_binXXXX")
are not encrypted ("XX0XXXX(1)_hex" = "XX0XXXX(0001)_bin")

fw ctl conntab -type=0x00010001/0x0001000F

This syntax selects all connections that:

are not Client-to-Server ("XX0(0)_hexXXXX" = "XX0(0000)_binXXXX")
are not encrypted ("XX0XXXX(1)_hex" = "XX0XXXX(0001)_bin")

fw ctl conntab -type=0x00000001/0x0001000F

Example 4 for "-type":

The "R_CTYPE" number "XX0X(C)_hexXXX" = "XX0X(1100)_binXXX" means this TCP connection is established.
The "R_CTYPE" number "XX0X(D)_hexXXX" = "XX0X(1101)_binXXX" means this TCP connection is half-closed.
The "R_CTYPE" number "XX0X(F)_hexXXX" = "XX0X(1111)_binXXX" means this TCP connection is fully closed.

Algorithm:

In a given "R_CTYPE" number "XXXXXXXX", it is necessary to examine the 5th hexadecimal digit from the left (to examine its 4 binary bits):

"XXXX(X)_hexXXX" = "XXXX(XXXX)_binXXX"
Therefore, in 0x<Bitmask> we must use "1111"_bin = "F"_hex.
We need to take into account only the 3rd and the 4th (from the right) binary digit in these four binary digits.

Therefore, in 0x<Value> we must use "1100"_bin = "C"_hex.

Therefore, this is the final syntax that selects all connections that:

are established TCP connections
are not half-closed TCP connections
are not closed TCP connections

fw ctl conntab -type=0x0000C000/0x0x0000F000

-flags=0x<Value>/0x<Bitmask>

Filters the output by the specified Connection "Flags" bitmask for the "R_CFLAGS" number that is described in sk65133:

"R_CFLAGS" is a set of independent 8 hexadecimal digits that represent connection flags.
In "R_CFLAGS", each hexadecimal digit is between 0 and F and is represented by 4 binary digits between 0000 and 1111.
The final connection flag value is accumulative(sum of all enabled hexadecimal digits).

In the syntax "-falsg=0x<Value>/0x<Bitmask>":

0x<Value>

Specifies the binary digits that must be set ("1") or that must not be set ("0") in the binary digits that you examine in the "R_CFLAGS" number.

You must convert the required set of binary digits to the hexadecimal format.
0x<Bitmask>

Specifies the binary digits to examine in the "R_CFLAGS" number.

You must convert the required set of binary digits to the hexadecimal format.

Procedure:

Get all current connections:

fw tab -u -t connections > /var/log/fw_tab_connections.txt

In the applicable connections, immediately after the tuple, after the semi-colon, refer to the second number.

In sk65133, this number is denoted as "R_CFLAGS".

Select the relevant connections:

fw ctl conntab -flags=0x<Value>/0x<Bitmask>

Notes:

You can specify the hexadecimal digits in all lowercase letters or all uppercase letters.
The parameter "-flags" is not supported together with the parameter "-state".

Example 1 for "-flags":

The "R_CFLAGS" number "000000(2)_hex0" = "000000(0010)_bin0" means this a Data connection.

This syntax selects all Data connections:

fw ctl conntab -type=0x00000020/0x00000020

This syntax selects all connections that are not Data:

fw ctl conntab -type=0x00000000/0x00000020

Example 2 for "-flags":

The "R_CFLAGS" number "000(4)_hex0000" = "000(0100)_bin0000" means this connection started with TCP [SYN] (SYN_SENT).

This syntax selects all connections that started with TCP [SYN]:

fw ctl conntab -type=0x00040000/0x00040000

Example 3 for "-flags":

The "R_CFLAGS" number "0000(2)_hex000" = "0000(0010)_bin000" means the Security Gateway already "saw" this connection on the "Server" side.
The "R_CFLAGS" number "000000(8)_hex0" = "000000(1000)_bin0" means the Security Gateway logged this connection.

This syntax selects all connections that:

are seen on the "Server" side
are logged connections

fw ctl conntab -type=0x00002080/0x00002080

Examples

Example 10 - Formatted detailed output from the Connections table (for comparison)

[Expert@MyGW:0]# fw tab -t connections -f

Formatting table's data - this might take a while...

localhost:

Date: Sep 10, 2018

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 54201; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: -1; Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 54201; Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 54201; Dest_1: 192.168.204.1; DPort_1: 53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 54201; Protocol: tcp; CPTFMT_sep_1: ->; Direction_2: 0; Source_2: 192.168.204.1; SPort_2: 54201; Dest_2: 192.168.204.40; DPort_2: 22; Protocol_2: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 54201; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 02007800000f9000; Expires: 3596/3600; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0; Source: 192.168.204.1; SPort: 53; Dest: 192.168.204.40; DPort: 44966; Protocol: udp; CPTFMT_sep_1: ->; Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 44966; Dest_1: 192.168.204.1; DPort_1: 53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1; Source: 192.168.204.40; SPort: 44966; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

[Expert@MyGW:0]#