topic Re: Getting top used rules via command line in Firewall and Security Management

Getting top used rules via command line

the_rock — Thu, 10 Nov 2022 13:59:34 GMT

Hey guys,

Apologies if this was answered before, but I remember while back, I always used to run command that would show me top 10 used rules on the firewall, but cant recall now what it was, as its been probably close to 10 years since I ran it. I know connstat, but thats only for windows. I also tried cpstat blades, but it does not show me anything there.

I think it was some sort of flag with fw tab, but IM not sure. If someone has an idea, would appreciate any feedback.

Tx as always!

Had a look at below, but not exactly what Im after:

https://community.checkpoint.com/t5/General-Topics/How-to-see-what-firewall-rules-match-some-traffic/td-p/18565

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/CLI/fw-ctl-conntab.htm

Re: Getting top used rules via command line

G_W_Albrecht — Thu, 10 Nov 2022 13:57:51 GMT

sk85780: How to use the 'connstat' utility

Re: Getting top used rules via command line

the_rock — Thu, 10 Nov 2022 14:01:57 GMT

Thanks G, but thats only for Windows, this command was done from the fw itself.

Andy

Re: Getting top used rules via command line

Danny — Thu, 10 Nov 2022 15:01:48 GMT

cpstat blades

# cpstat blades Packets accepted : 766249577 Packets dropped : 24321576 Peak number of connections: 19013 Number of connections: 5797 Top Rule Hits ----------------------- |rule index|rule count| ----------------------- |Rule 24 | 170186| |Rule 36 | 59828| |Rule 2 | 27792| |Rule 15 | 1234| |Rule 18 | 1026| -----------------------

Re: Getting top used rules via command line

the_rock — Thu, 10 Nov 2022 14:12:41 GMT

Weird...run it on vmware and actual 6000 series appliance, nothing.

Re: Getting top used rules via command line

Matlu — Thu, 10 Nov 2022 14:14:50 GMT

Hello,

This command must be applied on the GW?
Or is it on the SMS?

Greetings.

Re: Getting top used rules via command line

Matlu — Thu, 10 Nov 2022 14:21:38 GMT

I have run the command in a Standalone environment, which is on an OPEN SERVER, and I get no results either.

It is very strange. 😣

Re: Getting top used rules via command line

Danny — Thu, 10 Nov 2022 14:25:34 GMT

Gateway, of course.
On managements you can use this command:
psql_client monitoring postgres -c "select hits,rule_uid,netobj_name,policy_type from hitcount order by hits DESC"

Re: Getting top used rules via command line

the_rock — Thu, 10 Nov 2022 14:53:32 GMT

Its cloud instance, so no ssh access.

Re: Getting top used rules via command line

the_rock — Thu, 10 Nov 2022 14:55:45 GMT

Btw, that command shows me top 5 rules for one customer using 6200, but another using 6400, nothing...wonder why. Also, my lab fw, in esxi, shows nothing for top rules.

Re: Getting top used rules via command line

Danny — Thu, 10 Nov 2022 14:56:50 GMT

So your Management is Smart-1 Cloud and your gateways are on-prem?

Re: Getting top used rules via command line

the_rock — Thu, 10 Nov 2022 15:22:40 GMT

Correct, for the customer, but in my lab, its all on prem.

Re: Getting top used rules via command line

G_W_Albrecht — Thu, 10 Nov 2022 15:26:34 GMT

Was hit count enabled on all these ?

Re: Getting top used rules via command line

the_rock — Thu, 10 Nov 2022 15:38:52 GMT

Yes sir Gunther...as a matter of fact, enabled for the last 2 years, which is maximum.