topic Re: Rule Analyzer without logging rules in Firewall and Security Management

Rule Analyzer without logging rules

MRossi92 — Thu, 06 Feb 2020 19:38:20 GMT

Hi Everyone.

Im looking for some specific applicattion that they works like a Rule Analyzer.

We have a 64000 Chassis and 1600 rules. All of them are not logging exept the "Clean UP" rule.

We found the following applications but we need to know which of those are the best with that scenary

1. Firemon

2. Tuffin

3. Algo Sec

4. Skybox

PD: Please remember that we are not loggin rules! So we need to find some application that works without that.

Thanks a lot!

Re: Rule Analyzer without logging rules

PhoneBoy — Fri, 07 Feb 2020 10:27:13 GMT

What specific insights add you looking for from such a tool?
Without logging your rules, about all you have to work with are hit counts…or possibly the logic of specific rules.

Re: Rule Analyzer without logging rules

MRossi92 — Fri, 07 Feb 2020 18:58:36 GMT

Thanks for reply.

Can you explain me how can i work with the "Hitcounts"?

We need some application that he can clean and optimize the security policy.

Re: Rule Analyzer without logging rules

PhoneBoy — Mon, 10 Feb 2020 02:19:21 GMT

Note that as a best practice, most of your rules should be logged.
The fact most of your rules are not logged is problematic for many reasons, including this specific exercise.

Regardless of whether you log a rule or not, every rule should log the number of hits against that rule.
It doesn't show by default in R80.x SmartConsole, but it's easy enough to see by right-clicking on the rule headers and ticking the box for hits:

If a rule has a low number of hits against it, that's a target for a rule that could potentially be removed.
In pre R80 releases for Check Point gateways, it was considered best practice to move rules that were hit a lot to the top of the rulebase to improve gateway performance.
With column-based matching added from R80.10, this is less needed, though there are still a few corner cases where it might help.

As far as potentially simplifying rulebase logic, that's something a tool or a human would have to address.
We also offer, via Check Point Professional Services, a service called SmartOptimize that can assist with this task as well.

Re: Rule Analyzer without logging rules

MRossi92 — Mon, 10 Feb 2020 13:25:25 GMT

I thought you were referring to another tool with the "hitcounts".

Thanks for the answer and from your time but its not a good solution for a Firewall with 1700 rules. We need something more easy to the day work.

Someone know something from those applications?

1. Firemon

2. Tuffin

3. Algo Sec

4. Skybox

Re: Rule Analyzer without logging rules

Daniel_Schlifka — Mon, 10 Feb 2020 18:53:05 GMT

You could use netflow with some netflow analyzer, but it costs performance on the gateways. Better be careful when using it on heavy load gateways.

Re: Rule Analyzer without logging rules

PhoneBoy — Tue, 11 Feb 2020 04:14:21 GMT

You still haven’t answered the question of what you hope to achieve by using one of these tools.
In any case, those tools are only as effective as the data they are fed.
Not having logs for the most part is a huge blind spot.

Re: Rule Analyzer without logging rules

PhoneBoy — Tue, 11 Feb 2020 04:17:14 GMT

Netflow will only tell you about active connections.
It won’t tell you anything about historical connections.
Perhaps over time the historical data can assist, but that still seems like a manual process.