Checkpoint clear sessions

1. List all sessions
2. Find interesting sessions
3. Example
4. Convert HEX to IP
   1. Example
5. Convert HEX to INT
6. Links

List all sessions

fw tab -t connections -u

The output will look something like (The values are in hex)

# fw tab -t connections -u
localhost:
-------- connections --------
dynamic, id 8158, num ents 1, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 131072, limit 25000
<00000000, 0aff0202, 00000000, e0000005, 00000000, 00000059; 00010001, 00000080, 00000016, 000001c7, 00000000, 663d3a96, 00000000, 0347733e, e8cc7f8e, 00000001, ffffffff, ffffffff, ffffffff, 0000e800, 08000080, 80004080, 00000000, 00000000, 75396850, ffffc900, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 5005b000, 00000000, 00000000, 00000000; 50/60>
<00000000, 0aff0203, 000007c1, e0000066, 000007c1, 00000011; 00010001, 00004080, 00000016, 00000028, 00000000, 663d3a96, 00000000, 40b7f426, f67bda10, 00000001, ffffffff, ffffffff, ffffffff, 0000e800, 08000080, 00004084, 00000000, 00000000, 763b2300, ffffc900, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 508e5000, 00000000, 00000000, 00000000; 37/40>

Lets put this into a file

fw tab -t connections -u > table

Find interesting sessions

fw tab -t connections -u > table

IPA="x.x.x.x"; IPB="y.y.y.y"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'| sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listofall

Example

fw tab -t connections -u > tabl
IPA="10.255.2.14"; IPB="10.255.82.254"; IPAHEX=printf '%02x' ${IPA//./ }; IPBHEX=printf '%02x' ${IPB//./ }; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'| sed 's/ //g'|sed 's///g'|sed 's/;//g' > listofall

cat listofall
fw tab -t connections -x -e 00000000,0aff52fe,00000035,0aff020e,0000ed1f,00000011
fw tab -t connections -x -e 00000001,0aff020e,0000ed1f,0aff52fe,00000035,00000011

Convert HEX to IP

printf '%d.%d.%d.%d\n' $(echo 0aff52fe | sed 's/../0x& /g')

Example

printf '%d.%d.%d.%d\n' $(echo 0aff52fe | sed 's/../0x& /g')
10.255.82.254

Convert HEX to INT

printf '%d\n' 0x00000035
53

neat to remember 0x35 is 53 DNS 🙂

Links

• https://community.checkpoint.com/t5/Security-Gateways/How-to-manually-delete-an-entry-from-the-Connections-Table/td-p/13122
• https://superuser.com/questions/1104234/how-to-convert-a-hexadecimal-value-to-a-standard-ip-address