Friday 3 May 2013

Checkpoint Top Talkers Script - Display top 50 Source/Destinations

Hi Everyone,

I've finished writing a script that should be very useful to most of you. It allows you to determine the top 50 chattiest hosts on your network based on certain criteria.

This is what it looks like when you run it:

Hello, Welcome to the Checkpoint Top Talkers display utility by Craig Dods
-----------------------------------------------
    M A I N - M E N U
-----------------------------------------------
Please note that this is for use on devices with SecureXL enabled ONLY

1.  Display the top 50 Source/Destination combos
2.  Display the top 50 Source/Destination combos with identical Destination Ports
3.  Display the top 50 Source/Destination combos with identical Source Ports
4.  Display the top 50 Sources
5.  Display the top 50 Destinations
6.  Display the top 50 Source/Destination combos on a Custom Destination Port
7.  Display the top 50 Source/Destination combos on a Custom Source Port
8.  Display the top 50 Sources on a Custom Destination Port
9.  Display the top 50 Destinations on a Custom Destination Port
10. Display the top 50 Sources on a Custom Source Port
11. Display the top 50 Destinations on a Custom Source Port
12. Display the top 20 Destination Ports
13. Display the top 20 Source Ports
14. Display Connections From A Specific Host (large list)
15. Display Connections To A Specific Host (large list)
16. Exit

As you can see, there are quite a few options to choose from.

As an example, let's say you're simply trying to find out the busiest host-to-host connections and which ports they're using. Press #2 to see the results (the formatting looks better in bash, I swear - IP's are also obfuscated):

Please Make A Selection:  2
     #      SRC IP          DST IP       DPort
   9801 192.168.222.222  192.168.111.181  514    
    532 192.168.222.222  192.168.111.181  443    
    464 192.168.222.222  192.168.111.181  443    
    455 192.168.222.222  192.168.111.181  443    
    435 192.168.222.222  192.168.111.181    53      
    431 192.168.222.222  192.168.111.181  443    
    388 192.168.222.222  192.168.111.181  443    
    374 192.168.222.222  192.168.111.181  443    
    369 192.168.222.222  192.168.111.181  443    
    342 192.168.222.222  192.168.111.181  3995
    ................................
    Press [Enter] key to continue...

Another common use case would be if you're trying to determine which host is flooding a certain type of traffic (DNS/Syslog, etc). It's easy to determine who's causing the problem by using one of the 'Custom Port' options:

Looking for hosts generating DNS requests by using option #8:

Please Make A Selection:  8
Please enter the specific Destination Port you wish to filter for:
53

     #  SRC IP on DPORT 53
    199 192.168.0.0
    142 192.168.0.0
     94 192.168.0.0
     79 192.168.0.0
     33 192.168.0.0
     32 192.168.0.0
     26 192.168.0.0
     16 192.168.0.0
     16 192.168.0.0
     13 192.168.0.0

There are obviously many more use cases than I've covered above, so please try it out and let me know how it works!

Some caveats to keep in mind:
1) This only works on devices with SecureXL enabled
2) This may not work on every device. If you find out something isn't working in your environment, let me know!
3) All of this is based on active connections. At no point are these scripts monitoring actual throughput for any host.
4) Since we're pulling the information from SecureXL tables vs the connection table, there will be some oddities such as an entry for each direction of a connection if using option #1:

Please Make A Selection:  1
     #      SRC IP          DST IP
   9095 192.168.0.1  192.168.1.1
   9095 192.168.1.1  192.168.0.1


And finally, you can find the script right here . See my post about WGET if you're not sure on how to pull it down.

WGET on Checkpoint







10 comments:

  1. Man you'r a genius ....curios to know (As i'm new in this business) how to run your script on splat R70.30 box....you can mail this procedure on rohitandani@gmail.com or you can reply back here.....

    ReplyDelete
  2. Haha, no worries. Here's what you have to do to run this (or any) script.
    1) Download it to the firewall itself (see wget -> paste the URL of the script)
    2) Edit the permissions of the file to make it executable with:
    chmod +x
    3) Run the script:
    ./top_talkers.sh

    Cheers!

    ReplyDelete
  3. Sorry, HTML cut out the chmod +x piece

    You need to run:
    chmod +x top_talkers.sh

    ReplyDelete
  4. thanks Craig, waiting for your next post..... :) hope we will see it soon...

    ReplyDelete
  5. Could you edit the script for non fw accel devices to use the connections table instead?

    ReplyDelete
  6. It's definitely possible I suppose, however it won't work on anything pre-R75 due to memory allocation issues when dumping via decimal format. If you're not running fwaccel on a CP, you've got larger problems than figuring out who the busiest hosts are :)

    Also, there is a *severe* performance impact for doing it...It's not a good idea.

    ReplyDelete
  7. How about validating secureXL status

    # capture secureXL status

    accel_status=$(fwaccel stat | grep "Accelerator Status" | awk 'BEGIN { FS = ":" } ; { print $2 }')

    if [ $accel_status == "off" ]; then echo -e "\\nWARNING - We have detected that Secure XL is currently disabled on the system.; fi
    ..........and exit 1

    ReplyDelete
  8. Hi Craig,

    Have you seen any issues with running this script while a cluster is under very heavy load? I've run a couple tests and it does not appear resource intensive but wanted to verify.

    Thanks

    ReplyDelete
  9. To answer the questions:
    1) I could do validation but everyone already knows that it's required so...
    2) Running it under load - yes, I've used it in multiple DoS scenarios. These tables are held in RAM and are dumped with little to no impact.

    ReplyDelete
  10. Sort technically will use tmp files in $TMP which can be overridden with -T option. The reason I bring this up is if /tmp can't holds all the temp files created sort will barf. Chances are this won't happen but just a FYI.

    ReplyDelete