topic Re: Delete rules without traffic R81.10 in Firewall and Security Management

Delete rules without traffic R81.10

Matlu — Thu, 05 Oct 2023 00:14:37 GMT

Hello, everyone.

Is there any accurate way to identify which rules are currently "no longer used" in GW?

I have a R81.10 console, but I have quite a few rules, in which I don't see HITS, but there are so many rules, and besides that, I'm not sure if the fact that a rule has no HITS, should make me assume that this rule can be removed.

Is there any way to validate which rules are the only ones currently "in use"?

Greetings.

Re: Delete rules without traffic R81.10

the_rock — Thu, 05 Oct 2023 00:23:34 GMT

I would say if rules show 0 hits, they are safe to remove. I found that in R81.10 and R81.20, those numbers are very accurate. From my extensive lab testing, I can confidently say that.

Andy

Re: Delete rules without traffic R81.10

Matlu — Thu, 05 Oct 2023 12:45:20 GMT

Hello,

By default the column 'Hits', how long is it that 'filters' that option? 1, 2, 3 months?

Is there a way to set this 'hits' value?

Greetings

Re: Delete rules without traffic R81.10

the_rock — Thu, 05 Oct 2023 12:48:06 GMT

See attached bro.

Andy

From global properties, 2 years is the highest value.

Re: Delete rules without traffic R81.10

PhoneBoy — Fri, 06 Oct 2023 16:15:33 GMT

You can retrieve the hit counts from API.
You can even make a decision to disable rules based on this information, similar to what this script does:
https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MDS-or-SMS/m-p/40005#M2562

Re: Delete rules without traffic R81.10

the_rock — Fri, 06 Oct 2023 16:24:50 GMT

Whats the command to show rules with 0 hits? I cant seem to find it in the API guide

Andy

Re: Delete rules without traffic R81.10

PhoneBoy — Mon, 09 Oct 2023 12:52:40 GMT

The API will only tell you how many hits a given Access Rule has gotten.
You can write a script (similar to what I pointed to) that pulls out the rules have zero hits.

Re: Delete rules without traffic R81.10

the_rock — Mon, 09 Oct 2023 13:15:07 GMT

Thats what I was trying to find in api guide, but could not. I searched for command that gives just the actual hits, but unable to locate one.

Andy

Re: Delete rules without traffic R81.10

Henrik_Noerr1 — Mon, 09 Oct 2023 13:33:20 GMT

Hey @the_rock ,

I highly disagree on this part 🙂 We have some 80.000 firewall rules across our install base,

and have started a massive project cleaning up some +40.000 that is suspected unused.

We have found it neccessary to query our log system for logs with uid for each unused rule found in Smart Console.

We see around 1.000 rules that actually show logs in our log system (or smartlog) but hitcounter is 0.

I am just warning you to not bulk delete rules. In critical environments, whis will quickly lead to incidents.

I have spent many hours in the postgres db analyzing the design of the hit counter. (it's really bad) when we built all the logic behind the firewall cleaning

edit: we run r81.10 take NEW'ish - But I found this issue to be true on all versions. Not on r81.20 yet, but I see the db design is the same.

/Henrik

Re: Delete rules without traffic R81.10

the_rock — Mon, 09 Oct 2023 13:34:20 GMT

K, thats fair. Im just speaking from my extensive testing in the lab and production as well, it was accurate 100% of the time.

But, everyone's experience is different, I suppose.

Andy

Re: Delete rules without traffic R81.10

Scott_Paisley — Mon, 09 Oct 2023 16:31:31 GMT

You can buy 3rd party firewall policy management tools that tell you 'last date hit' as well as how many hits.

We found a rule for TACACS access that has not been used for 2 years. Doesn't mean we don't need it, just that nobody logged into a particular set of switches in the last 2 years, which is probably good news.

Re: Delete rules without traffic R81.10

the_rock — Mon, 09 Oct 2023 18:49:26 GMT

Good to know...any specific tool you use/like?

Andy

Re: Delete rules without traffic R81.10

Scott_Paisley — Mon, 09 Oct 2023 18:52:41 GMT

Tufin

Re: Delete rules without traffic R81.10

the_rock — Mon, 09 Oct 2023 18:56:05 GMT

Never used it, but heard good things about it.

Re: Delete rules without traffic R81.10

Duane_Toler — Mon, 09 Oct 2023 19:05:05 GMT

export RANGE_AGO="6 months" export RANGE=$(echo ${RANGE_AGO}|sed 's/ //g') export FROM_DATE=$(date -d "${RANGE_AGO} ago" +"%Y-%m-%d") export TO_DATE=$(date +"%Y-%m-%d") export MGMT_CLI_FORMAT=json * MGMT_CLI locally on management server: mgmt_cli show-access-rulebase name Network package Standard show-hits true hits-settings.from-date ${FROM_DATE} hits-settings.to-date ${TO_DATE} use-object-dictionary false limit 350 > access_rules.last_${RANGE}.json * REST API: send this JSON body via 'curl' or whatever: { "name" : "Network", "show-hits" : true, "hits-settings" : { "from-date" : "'${FROM_DATE}'", "to-date" : "'${TO_DATE}'" }, "limit" : 350, "details-level" : "uid" }

Re: Delete rules without traffic R81.10

SomAustrianCity — Tue, 10 Oct 2023 08:58:46 GMT

Just a note, while in my experience the Hits counter is correct, also think about when the rule was last modified. For example, if a rule was created yesterday, it's likely to not have any hits today.

So i usually take that into account when looking through the rulebase (manually) in order to disable unused rules. My rule of thumb is that a rule has not been used for a year and not been modified in this time either.

Regards

Re: Delete rules without traffic R81.10

the_rock — Tue, 10 Oct 2023 10:09:51 GMT

That makes sense, for sure. I can also say, again, from myown extensive testing, that in R81.20, hit count seems to be better than before, meaning, gets updated faster and I find is totally accurate.

But again, as I said previously, everyone's experience varies.

Andy

Re: Delete rules without traffic R81.10

CP_Chris — Tue, 10 Oct 2023 15:56:16 GMT

I find that using the zero hits does not always paint a clear picture. What if the rule with zero hits is actually required, but there is another rule higher in the policy that is overly permissive? When I look at zero hit rules, I often will look for the source, destination, and service within the logs to determine if the traffic is allowed - or dropped - on a different rule. I then would review this other rule to determine if it is defined accurately, or if there is a need to modify it. If the other rule is defined correctly, but I need the zero hit rule for tracking purposes, then I will move the zero hit rule accordingly. Likewise, if the other rule is defined correctly, then I would delete the rule with zero hits.

If I don't find the traffic in logs, now I can be a bit more assured the rule may not be needed. I still feel there needs to be some additional thought put into it though. Do you have an asset database? I would look up the owner of the asset and ask the question why is there a rule? Maybe it is something that only gets used in the event of an emergency - document that! Maybe it is an asset that has been decommissioned - what wasn't the firewall team notified? Is there a business process that is broken, or maybe needs to be defined?

I think you can probably get the idea from here. Just because there are zero hits does not always mean the rule can be deleted. Most of the time it probably does, but always do your due diligence when you find these rules.

Re: Delete rules without traffic R81.10

the_rock — Tue, 10 Oct 2023 16:22:16 GMT

Those are all valid points, for sure.

Andy

Re: Delete rules without traffic R81.10

Matlu — Tue, 10 Oct 2023 17:33:20 GMT

Hello,

Is there a way to "export" in a report, all the rules that appear with "0 Hits" in our rule base?

In such a way, that a manual analysis can be done, in order to make a better decision on whether or not these rules should be deleted.

Greetings.