Thanks :-)
2 people also had this question
Thanks :-)
Selma Saglauskas wrote:
I used this report (Rule Base Analysis) to remove rules that had no hits for a certain period of time
We are planning zero hits reports in our next releases. For now - will Ofir's sample report above help you in that case?
Selma Saglauskas wrote:
as well as to sort the rules that had the most hits for places higher up in the policies.
Hi, thank you for your response. Look, the way the Ofir's example comes along does not help much. I need the rules, with their names, to appear separately by policy and gateway.
As this report was made, a column appears with Rule Name, where all rules are bound together. And I can not see which one did not hit.
Of course I can do this manually, look rule by rule and see that it has had no access in the last 3 months. However, if I need to know which rule has had no access (hit) in the last 6 months, for example, this alternative does not help much. And doing this manually is also not cool; so why to buy license of the Event if it does not help with the reports we need?
I have recently completed a project that involved similar requirements.
We've ended-up using an ungodly combination of Check Point Web Visualization tool, to get the data out of CMAs, Tufin historical reports to pin-down 0-hit rules and objects and excel's "Get Data" function to get both outputs in the same workbooks for correlation.
Additionally, a lookup of public IPs in the policy was supposed to be performed by hand to conclusively identify their ownership.
Resultant output was used for policy cleanup and report generation.
Given that it was done across tens of policies with thousands of rules and objects, the process was less than optimal.
It would be nice to see all these capabilities integrated in the smart console.
For now what I can offer is either:
a. open the rulebase in SmartConsole, select Actions-->Export... and then edit the resulting CSV to filter out rows which have hits != 0.
b. use import export policy, grab that HTML, and filter out rows with hits != 0.
c. edit the import export policy python script so that it does not output rules with hits != 0
We will improve it in the future, however for now will any of these options seem better than the combination you use today?
Regarding cleanup of rules using object hit count - this is a roadmap feature.
Not really, as there are no per-object hits available.
Tufin reports do have this property even on group members.
So I am looking forward to it being eventually implemented.
What about using the API command ?
Check Point - Management API reference
Command
show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" hits-settings.target "corporate-gw" --format json
last hit = time