SmartView Monitor
SmartView Monitor is a graphical user interface (GUI) tool that allows network administrators to monitor and manage Checkpoint devices and gateways. SmartView Monitor can display real-time and historical statistics of network traffic, such as throughput, packets, connections, services, protocols, and hosts. SmartView Monitor can also show the top talkers in the network by source or destination IP address, service, or protocol.
To use SmartView Monitor, you need to have a valid license and connect to a Checkpoint management server or gateway. You can launch SmartView Monitor from the SmartConsole application or from a web browser. To find top talkers in SmartView Monitor, you can follow these steps:
Select the gateway or device that you want to monitor from the tree view on the left.
Select the Traffic tab on the right.
Select the Top Talkers sub-tab.
Select the time frame that you want to analyze from the drop-down menu on the top right.
Select the criteria that you want to sort by from the drop-down menu on the bottom right. You can choose from Source IP, Destination IP, Service, or Protocol.
The table below will show the top talkers in the network according to your selection. You can also see a pie chart that represents the percentage of each top talker in the total traffic.
You can double-click on any row in the table to see more details about the traffic of that host or service.
For more information about SmartView Monitor, you can refer to [this guide].
CLI commands
If you prefer to use command-line interface (CLI) tools, you can also find top talkers in Checkpoint devices using some CLI commands. These commands can be executed on Checkpoint gateways or management servers using SSH or console access. Some of these commands are:
fwaccel conns: This command shows the current connections that are accelerated by SecureXL, which is a performance-enhancing technology that offloads CPU-intensive operations from the firewall kernel. You can use this command to see the source and destination IP addresses of each connection, as well as other information such as protocol, port, state, and expiration time. You can also pipe this command to other commands such as awk, sort, uniq, and head to filter and sort the output by different criteria. For example, to see the top 10 source IP addresses by number of connections, you can use this command:
fwaccel conns awk ' print $1' sort uniq -c sort -n -r head -n 10
fw tab -t connections -u -f: This command shows the current connections that are handled by the firewall kernel. You can use this command to see more details about each connection, such as interface, NAT information, encryption information, and flags. You can also pipe this command to other commands as mentioned above to filter and sort the output by different criteria. For example, to see the top 10 destination IP addresses by number of bytes transferred, you can use this command:
fw tab -t connections -u -f awk ' print $5' sort uniq -c sort -n -r head -n 10
rtm monitor: This command allows you to use SmartView Monitor from the CLI. You can use this command to see the same statistics that are displayed in the GUI, such as throughput, packets, connections, services, protocols, and hosts. You can also specify different parameters to customize the output, such as key, value, sort, interval, and filter. For example, to see the top source IP addresses by number of packets every 60 seconds, you can use this command:
rtm monitor -k src -v pkts sort=top -i 60
For more information about these CLI commands, you can refer to [this guide].
Conclusion
Finding top talkers in the network is an important task for network administrators who want to optimize network performance, troubleshoot issues, and detect anomalies. Checkpoint provides various tools and methods to find top talkers in Checkpoint devices, such as SmartView Monitor and CLI commands. These tools can help network administrators monitor and analyze network traffic and identify the hosts or services that generate or consume the most bandwidth, packets, or connections in the network.
a104e7fe7e