9

I have a firewall, where I have to lower the TCP session timeout from 24h to 1h.
Before I do that, I'm trying to determine if this will break any applications, i.e applications that have sessions that can be idle for a long time, but are not able to re-establish the connection if the firewall drops it.
So I want to filter out connections from my connection table, that have been idle for more than 60 minutes.

Firewall is CheckPoint R75.40, and I'm looking at the connection table with the "fw tab -t connections -u" command. I suppose the information I want is in the output, but what am I looking for?

sk0yern
  • 195
  • 1
  • 2
  • 9

2 Answers2

4

The command for doing this would be: 

fw tab -t connections -u -f | grep 86400 \
 |awk '{ split($41,a,"/"); if( a[1] < 82800) print $2,$9,$13,$15,$41; }'

86400 is the current TCP session timeout in seconds.
Thanks to toottoot for the -f flag.

Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
sk0yern
  • 195
  • 1
  • 2
  • 9
3

If you want to use command line you can just add –f flag to the command, it will format output to readable text format. “fw tab -t connections –u -f”

Another option is to use Smartview Tracker and check the active connections from the Active tab. Be careful though if you have performance issues, viewing active connections will raise CPU load significantly on the gateway.

Yet another way is to enable accounting (Track column -> Other -> Account) on rules that could be matching long idle connections, in this case the connection duration will be visible in log file after the connection has been closed. Using the logs you can run a custom report with Check Point tools or just manually filter and view through them. This is maybe the best option, if you have time and want the most accurate results.

toottoot
  • 81
  • 3