I've finished writing a script that should be very useful to most of you. It allows you to determine the top 50 chattiest hosts on your network based on certain criteria.
This is what it looks like when you run it:
Hello, Welcome to the Checkpoint Top Talkers display utility by Craig Dods
-----------------------------------------------
M A I N - M E N U
-----------------------------------------------
Please note that this is for use on devices with SecureXL enabled ONLY
1. Display the top 50 Source/Destination combos
2. Display the top 50 Source/Destination combos with identical Destination Ports
3. Display the top 50 Source/Destination combos with identical Source Ports
4. Display the top 50 Sources
5. Display the top 50 Destinations
6. Display the top 50 Source/Destination combos on a Custom Destination Port
7. Display the top 50 Source/Destination combos on a Custom Source Port
8. Display the top 50 Sources on a Custom Destination Port
9. Display the top 50 Destinations on a Custom Destination Port
10. Display the top 50 Sources on a Custom Source Port
11. Display the top 50 Destinations on a Custom Source Port
12. Display the top 20 Destination Ports
13. Display the top 20 Source Ports
14. Display Connections From A Specific Host (large list)
15. Display Connections To A Specific Host (large list)
16. Exit
-----------------------------------------------
M A I N - M E N U
-----------------------------------------------
Please note that this is for use on devices with SecureXL enabled ONLY
1. Display the top 50 Source/Destination combos
2. Display the top 50 Source/Destination combos with identical Destination Ports
3. Display the top 50 Source/Destination combos with identical Source Ports
4. Display the top 50 Sources
5. Display the top 50 Destinations
6. Display the top 50 Source/Destination combos on a Custom Destination Port
7. Display the top 50 Source/Destination combos on a Custom Source Port
8. Display the top 50 Sources on a Custom Destination Port
9. Display the top 50 Destinations on a Custom Destination Port
10. Display the top 50 Sources on a Custom Source Port
11. Display the top 50 Destinations on a Custom Source Port
12. Display the top 20 Destination Ports
13. Display the top 20 Source Ports
14. Display Connections From A Specific Host (large list)
15. Display Connections To A Specific Host (large list)
16. Exit
As you can see, there are quite a few options to choose from.
As an example, let's say you're simply trying to find out the busiest host-to-host connections and which ports they're using. Press #2 to see the results (the formatting looks better in bash, I swear - IP's are also obfuscated):
Please Make A Selection: 2
# SRC IP DST IP DPort
9801 192.168.222.222 192.168.111.181 514
532 192.168.222.222 192.168.111.181 443
464 192.168.222.222 192.168.111.181 443
455 192.168.222.222 192.168.111.181 443
435 192.168.222.222 192.168.111.181 53
431 192.168.222.222 192.168.111.181 443
388 192.168.222.222 192.168.111.181 443
374 192.168.222.222 192.168.111.181 443
369 192.168.222.222 192.168.111.181 443
342 192.168.222.222 192.168.111.181 3995
................................
Press [Enter] key to continue...
# SRC IP DST IP DPort
9801 192.168.222.222 192.168.111.181 514
532 192.168.222.222 192.168.111.181 443
464 192.168.222.222 192.168.111.181 443
455 192.168.222.222 192.168.111.181 443
435 192.168.222.222 192.168.111.181 53
431 192.168.222.222 192.168.111.181 443
388 192.168.222.222 192.168.111.181 443
374 192.168.222.222 192.168.111.181 443
369 192.168.222.222 192.168.111.181 443
342 192.168.222.222 192.168.111.181 3995
................................
Press [Enter] key to continue...
Another common use case would be if you're trying to determine which host is flooding a certain type of traffic (DNS/Syslog, etc). It's easy to determine who's causing the problem by using one of the 'Custom Port' options:
Looking for hosts generating DNS requests by using option #8:
Please Make A Selection: 8
Please enter the specific Destination Port you wish to filter for:
53
# SRC IP on DPORT 53
199 192.168.0.0
142 192.168.0.0
94 192.168.0.0
79 192.168.0.0
33 192.168.0.0
32 192.168.0.0
26 192.168.0.0
16 192.168.0.0
16 192.168.0.0
13 192.168.0.0
Please enter the specific Destination Port you wish to filter for:
53
# SRC IP on DPORT 53
199 192.168.0.0
142 192.168.0.0
94 192.168.0.0
79 192.168.0.0
33 192.168.0.0
32 192.168.0.0
26 192.168.0.0
16 192.168.0.0
16 192.168.0.0
13 192.168.0.0
Some caveats to keep in mind:
1) This only works on devices with SecureXL enabled
2) This may not work on every device. If you find out something isn't working in your environment, let me know!
3) All of this is based on active connections. At no point are these scripts monitoring actual throughput for any host.
4) Since we're pulling the information from SecureXL tables vs the connection table, there will be some oddities such as an entry for each direction of a connection if using option #1:
Please Make A Selection: 1
# SRC IP DST IP
9095 192.168.0.1 192.168.1.1
9095 192.168.1.1 192.168.0.1
# SRC IP DST IP
9095 192.168.0.1 192.168.1.1
9095 192.168.1.1 192.168.0.1
And finally, you can find the script right here . See my post about WGET if you're not sure on how to pull it down.
WGET on Checkpoint
Man you'r a genius ....curios to know (As i'm new in this business) how to run your script on splat R70.30 box....you can mail this procedure on rohitandani@gmail.com or you can reply back here.....
ReplyDeleteHaha, no worries. Here's what you have to do to run this (or any) script.
ReplyDelete1) Download it to the firewall itself (see wget -> paste the URL of the script)
2) Edit the permissions of the file to make it executable with:
chmod +x
3) Run the script:
./top_talkers.sh
Cheers!
Sorry, HTML cut out the chmod +x piece
ReplyDeleteYou need to run:
chmod +x top_talkers.sh
thanks Craig, waiting for your next post..... :) hope we will see it soon...
ReplyDeleteCould you edit the script for non fw accel devices to use the connections table instead?
ReplyDeleteIt's definitely possible I suppose, however it won't work on anything pre-R75 due to memory allocation issues when dumping via decimal format. If you're not running fwaccel on a CP, you've got larger problems than figuring out who the busiest hosts are :)
ReplyDeleteAlso, there is a *severe* performance impact for doing it...It's not a good idea.
How about validating secureXL status
ReplyDelete# capture secureXL status
accel_status=$(fwaccel stat | grep "Accelerator Status" | awk 'BEGIN { FS = ":" } ; { print $2 }')
if [ $accel_status == "off" ]; then echo -e "\\nWARNING - We have detected that Secure XL is currently disabled on the system.; fi
..........and exit 1
Hi Craig,
ReplyDeleteHave you seen any issues with running this script while a cluster is under very heavy load? I've run a couple tests and it does not appear resource intensive but wanted to verify.
Thanks
To answer the questions:
ReplyDelete1) I could do validation but everyone already knows that it's required so...
2) Running it under load - yes, I've used it in multiple DoS scenarios. These tables are held in RAM and are dumped with little to no impact.
Sort technically will use tmp files in $TMP which can be overridden with -T option. The reason I bring this up is if /tmp can't holds all the temp files created sort will barf. Chances are this won't happen but just a FYI.
ReplyDelete