topic Re: Log cleaning rule in API / CLI Discussion

Log cleaning rule

Nicolas_Boisse — Mon, 08 Jul 2019 12:32:02 GMT

One of the things that all firewall administrators should do is to create a log cleaning rule. As an example, a firewall connected to a windows networks will receive a lot of network broadcast. Those broadcast will be drop and log by default on the clean-up rule. In the long run, this results in a lost of disk space.

To remove those broadcast from the log file and save disk space, you should create a rule without log at the beginning of the rulebase:

The BROADCAST_GROUP should include all the broadcast address from all your gateways:

If you have multiple gateways, this task can become very long to do.

I've created a script to help you automate this task.

The script gets all the checkpoint gateway name and IP, connect to all of them and issue an ifconfig command then create a CSV template for the broadcast objects creation:

1- Gets gateway name and IP from the management API and creates a CSV file

2- Connect to each gateway from that CSV and issue ifconfig to get all the Broadcast address

3- Creates a CSV template with all the discovered Broadcast

4- Create and Import all broadcast objects into a group named BROADCAST_GROUP (API call)

You will automatically gets all the broadcast address from all your gateways into the groupe name BROADCAST_GROUP.

You can run the script either from the Smart Console or from SSH command line on the management server itself.

Happy Scripting

For the full list of White Papers, go here.

Re: Log cleaning rule

PhoneBoy — Fri, 01 Sep 2017 17:32:15 GMT

Nicolas, this is great!

Thanks for sharing.

Re: Log cleaning rule

Claudio_Bolcato — Wed, 13 Jun 2018 07:47:56 GMT

This script is really awesome!!!

I tried on my MDS and I had some problems but digging a little bit I found the issue.
mdsenv "domain" is mandatory in a multi domain environment. I added it as third line and added in all mgmt_cli commands -d "domain".

Thanks a lot

Re: Log cleaning rule

Robert_Decker — Wed, 13 Jun 2018 09:25:51 GMT

Great job Nicolas!

Just one comment - the show-simple-gateways command will return only first 50 gateways by default.

Robert.

Re: Log cleaning rule

Claudio_Bolcato — Wed, 13 Jun 2018 09:53:13 GMT

I added limit 500 to override this

Re: Log cleaning rule

ED — Thu, 28 Jun 2018 07:40:43 GMT

Will this rule affect a DHCP server running on Gaia gateways? When a newly connected host sends dchp-request to 255.255.255.255.

Re: Log cleaning rule

Burton_Peake — Tue, 07 Aug 2018 12:47:50 GMT

I would think you could still put a rule in place above the cleanup rule that specifically permits the DHCP required protocols (dhcp-request and dhcp-reply) without permitting all broadcast traffic.

Re: Log cleaning rule

Nicolas_Boisse — Thu, 09 Aug 2018 18:54:06 GMT

The stealth rule will block those requests anyway. If you run the DHCP server on your gateway, you will need to add rule before the Stealth rule.

Re: Log cleaning rule

Paul_Wetton — Wed, 15 May 2019 14:39:49 GMT

agreed but isn't there some debate about the destination or service being used in the "clean Up" rule which is what it was called previously. if you drop on the services it will drop a lot more than a destination per say. some clients don't like a clean up rule and wish to see everything!

Re: Log cleaning rule

Yury_Anoshyn — Thu, 09 Apr 2020 07:45:27 GMT

Hello,

could you show link to script ? may be something happened with my browser , but i not see any link to script.

Re: Log cleaning rule

Feridun_ÖZTOK — Thu, 30 Dec 2021 18:24:21 GMT

Hi dude,

Could you find script?