Thanks :-)
Thanks :-)
I have the same exact question and I'm still not able to find any answer.
I created my own report for this task
How did you do that? Because I tried also to create my own but without any good result.
-> I think I was able to get somethinbg similar to yours but I don't have the option to add the Rule Hits.
1. create report
2. create table
3. i used this:
Selma Saglauskas wrote:
I used this report (Rule Base Analysis) to remove rules that had no hits for a certain period of time
We are planning zero hits reports in our next releases. For now - will Ofir's sample report above help you in that case?
Selma Saglauskas wrote:
as well as to sort the rules that had the most hits for places higher up in the policies.
Hi, thank you for your response. Look, the way the Ofir's example comes along does not help much. I need the rules, with their names, to appear separately by policy and gateway.
As this report was made, a column appears with Rule Name, where all rules are bound together. And I can not see which one did not hit.
Of course I can do this manually, look rule by rule and see that it has had no access in the last 3 months. However, if I need to know which rule has had no access (hit) in the last 6 months, for example, this alternative does not help much. And doing this manually is also not cool; so why to buy license of the Event if it does not help with the reports we need?
Why not using the integrated rulebase hit-count?
Right click the policy header, and enable the "Hits" column
You can sort the policy according to the hitcount, and remove those zero hits count.
For each rule you can also get the first and last hit:
I think it answers your requests.
Kfir Dadosh
You can generate a "zero hit count" report by selecting Actions-->Export and then filtering non-zero hit rules at the resulting CSV file.
Hello, Tomer Sole.
I've exported my rules, however the "hits" column was not exported to the CSV file.
I am using version R80.10.
Regards,
Selma.
OK I was not aware of that limitation, I will check internally and update
Hi, Kfir Dadosh.
Thank you for your answer.
I leave the "Hits" column always enabled, however I do not know how to sort according to the hitcount.
This solution as a workaround helps a bit, but the report that existed in SmartReporter was much better ...
Regards, Selma.
I have recently completed a project that involved similar requirements.
We've ended-up using an ungodly combination of Check Point Web Visualization tool, to get the data out of CMAs, Tufin historical reports to pin-down 0-hit rules and objects and excel's "Get Data" function to get both outputs in the same workbooks for correlation.
Additionally, a lookup of public IPs in the policy was supposed to be performed by hand to conclusively identify their ownership.
Resultant output was used for policy cleanup and report generation.
Given that it was done across tens of policies with thousands of rules and objects, the process was less than optimal.
It would be nice to see all these capabilities integrated in the smart console.
For now what I can offer is either:
a. open the rulebase in SmartConsole, select Actions-->Export... and then edit the resulting CSV to filter out rows which have hits != 0.
b. use import export policy, grab that HTML, and filter out rows with hits != 0.
c. edit the import export policy python script so that it does not output rules with hits != 0
We will improve it in the future, however for now will any of these options seem better than the combination you use today?
Regarding cleanup of rules using object hit count - this is a roadmap feature.
Not really, as there are no per-object hits available.
Tufin reports do have this property even on group members.
So I am looking forward to it being eventually implemented.
What about using the API command ?
Check Point - Management API reference
Command
show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" hits-settings.target "corporate-gw" --format json
last hit = time