How to Manually Delete an Entry from the Connections Table in Check Point Firewall

Share This:

Check Point Firewall

If you ever run into a situation where you have a stuck session state in the connections table in a Check Point firewall, you can refer to SK103876 (You must have a Check Point account with Enterprise Support to view the article). Using the steps below, you can find the connection, generate the HEX fields needed, and output the full command needed to delete an entry from the connections table in Check Point firewalls. WARNING: This is only for advanced users, we are not responsible if you break your firewall. Please use with caution and verify the commands work in your environment.

How to Manually Delete an Entry from the Connections Table in Check Point Firewall

You’ll need to log into the CLI of your firewall and be in expert mode first.

Then we need to output all of your connections into a file called active_connections:

fw tab -t connections -u > active_connections

Next, we’ll filter the connections and search for Source IP (IPA) and Destination IP (IPB). Replace these values with the connection you’re looking for. This will output the filtered list into a file called filtered_connections.

IPA="x.x.x.x"; IPB="y.y.y.y"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" active_connections | grep "$IPBHEX" | grep "^<0000000" | awk  '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's///g'|sed 's/;//g' > filtered_connections

Now, you can view the contents of the filtered_connections file by running:

cat filtered_connections

The output should be something similar to:

fw tab -t connections -x -e CSV_of_6_HEX_VALUES

You’ll need to run each line of the output to delete all of the connections. You could also try ./filtered_connections but you might need to CHMOD the file to make it executable.

These steps have been used in R80.10 GW and R77 successfully. Remember, use caution and verify these commands will work in your environment before using them on a production firewall!


Share This:

 

One Response

  1. Daniel Collins

Leave a Reply