https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162822#M70346 <P>One common optimization tactic is to eliminate rules that have zero hit count.<BR />There is a script for that:&nbsp;<A href="https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MDS-or-SMS/m-p/40005" target="_blank">https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MDS-or-SMS/m-p/40005</A>&nbsp;</P> Tue, 22 Nov 2022 17:22:22 GMT PhoneBoy 2022-11-22T17:22:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162765#M70344 <P>Is there a way to identify the shadow or redundant rules? I have used Algosec with a different customer, with latest R81.x I heard that Algosec is not feasible because of the layers and zone based policies. There are few thousands of rules that need to be reconciled across multiple gateways and I need to know a way to do this effectively. Has anyone been in a similar situation and has a solution for this?</P><P>Thanks!</P> Tue, 22 Nov 2022 12:41:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162765#M70344 aharihara 2022-11-22T12:41:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162768#M70345 <P>SmartOptimize or other analysis leveraging the APIs seem like the most logical approach.</P> <P>sk161574 may also be relevant here.</P> Tue, 22 Nov 2022 12:51:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162768#M70345 Chris_Atkinson 2022-11-22T12:51:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162822#M70346 <P>One common optimization tactic is to eliminate rules that have zero hit count.<BR />There is a script for that:&nbsp;<A href="https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MDS-or-SMS/m-p/40005" target="_blank">https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MDS-or-SMS/m-p/40005</A>&nbsp;</P> Tue, 22 Nov 2022 17:22:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162822#M70346 PhoneBoy 2022-11-22T17:22:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162827#M70347 <P>I agree with the guys. I will tell you what I always do...is it best way to do this, probably not, but I find it useful. I simply export the rules in CSV format and then look for zero hits and also disabled rules.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18508i394E9A06F5C5A6F2/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_2.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18509iC8EEAEECBE487BD5/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_2.png" alt="Screenshot_2.png" /></span></P> <P> </P> Tue, 22 Nov 2022 17:31:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Identify-shadow-rules/m-p/162827#M70347 the_rock 2022-11-22T17:31:03Z