topic Re: Firewall - Automating Firewall Rule Cleanup Based on Usage in API / CLI Discussion

Firewall - Automating Firewall Rule Cleanup Based on Usage

HeikoAnkenbrand — Tue, 26 Aug 2025 17:06:22 GMT

The following one-liner identifies all rules with a hit count of 0 entries. Depending on your environment, you may need to adjust the policy name to ensure the command runs against the correct configuration.

You can store all rules with a hit count of 0 in a file (e.g. delete_rules.txt). This file can then be processed by a script to automatically remove the listed rules.

mgmt_cli -r true show access-rulebase offset 0 limit 20 name "Network" details-level "standard" show-hits "true" use-object-dictionary true --format json | jq '.rulebase[]| select(.hits.value==0) | {number:.["rule-number"], name:.name, uid:.uid}' > delete_rules.txt

You can use the file delete_rules.txt, which contains the list of rules with a hit count of 0, as input for an automated script. The script should read each line of the file (each line representing a rule), and then construct the appropriate delete command for that rule.

For security reasons,
I’m not sharing the one-liner for direct deletion, as it could easily cause serious damage to the policy.

This program writes the delete commands securely to an echo output; you can then remove the “echo” command in the one-liner and all rules will be deleted on the SMS 😉

jq -r '.uid' delete_rules.txt | while read uid; do echo mgmt_cli -r true delete access-rule uid "$uid" -s id.txt done

The id.txt file contains the status of the deletion action.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Bob_Zimmerman — Sun, 24 Aug 2025 18:40:31 GMT

Important notes: the one-liner above to find rules with no hits does not consider rules inside a section. It also does not consider the age of the rule. A brand new rule (or newly updated rule) which hasn't yet been tested would show up in the list of rules to be removed.

Here is a script which will get all of the rules including ones in sections:

[Expert@DallasSC]# mgmt_cli -f json -r true show access-rulebase name "Network" details-level full show-hits true use-object-dictionary true limit 500 offset 0 | jq -c '.rulebase[]|if has("rulebase") then .rulebase[] else . end|{uuid:.uid,hits:.hits.value,ruleNumber:."rule-number",ruleName:.name,lastModified:."meta-info"."last-modify-time".posix}' {"uuid":"7f2e8b2e-a444-4e78-ae30-2c353fcb1811","hits":5601804,"ruleNumber":1,"ruleName":"Sectionless","lastModified":1749511597766} {"uuid":"cfaeefa5-a96a-4ed8-8306-72e72d79f23d","hits":35332,"ruleNumber":2,"ruleName":"Management access","lastModified":1749511600777} {"uuid":"5dae513d-934d-4a47-b8af-1b5d6b201eb4","hits":0,"ruleNumber":3,"ruleName":"Bad browsing","lastModified":1749511601446} {"uuid":"c5b09864-5c5c-4775-b781-2287c56496b4","hits":0,"ruleNumber":4,"ruleName":null,"lastModified":1749511602850} {"uuid":"7da03051-74b7-4d2f-92ff-7af45d8a625b","hits":0,"ruleNumber":5,"ruleName":null,"lastModified":1749511603707} {"uuid":"21c0044c-f1a2-4fa7-bfb8-b19c0ca1dab1","hits":0,"ruleNumber":6,"ruleName":null,"lastModified":1749511604665} {"uuid":"7f54a07b-ec25-4ce3-a427-73dfa6affc54","hits":0,"ruleNumber":7,"ruleName":null,"lastModified":1749511605528} {"uuid":"26e693d5-360e-4ff6-a8f1-b3a33fd96a0f","hits":0,"ruleNumber":8,"ruleName":null,"lastModified":1749511606414} {"uuid":"5d7e798b-3df8-4c5b-bc49-dc8c0cde40aa","hits":0,"ruleNumber":9,"ruleName":null,"lastModified":1749511607238} {"uuid":"f873fabe-9d6d-41a5-8d63-0bb445ef141f","hits":0,"ruleNumber":10,"ruleName":null,"lastModified":1749511608131} {"uuid":"81f1116a-b8b2-43cc-b0ad-802b584bdca1","hits":0,"ruleNumber":11,"ruleName":null,"lastModified":1749511609027} {"uuid":"b7d2f494-631a-4a77-8480-d70297346aa5","hits":0,"ruleNumber":12,"ruleName":null,"lastModified":1749511609889} {"uuid":"e80c2af2-30d7-4077-a332-274218019762","hits":0,"ruleNumber":13,"ruleName":null,"lastModified":1749511610664} {"uuid":"267b45b0-efe5-47fc-83ec-b6b70335191a","hits":0,"ruleNumber":14,"ruleName":null,"lastModified":1749511612564} {"uuid":"4c7aa052-0077-4cdc-8444-71c886232ea5","hits":0,"ruleNumber":15,"ruleName":null,"lastModified":1749511613791} {"uuid":"04c0c300-4a22-47a1-9738-6bac10cf73f1","hits":0,"ruleNumber":16,"ruleName":null,"lastModified":1749511615241} {"uuid":"a2a5e904-b467-4eb0-82f1-862891c670d5","hits":0,"ruleNumber":17,"ruleName":null,"lastModified":1749511616156} {"uuid":"8e6adc3c-d8ff-472d-8daa-ad7055319ed4","hits":0,"ruleNumber":18,"ruleName":null,"lastModified":1749511617077} {"uuid":"95b4133d-bb45-4d2a-9778-ae824819f033","hits":0,"ruleNumber":19,"ruleName":null,"lastModified":1749511617998} {"uuid":"817d4149-bbb7-4dc0-8ba6-c11b8b9aad02","hits":0,"ruleNumber":20,"ruleName":null,"lastModified":1749511618889} {"uuid":"7fa553a0-f199-48b8-83eb-b62799e5193d","hits":0,"ruleNumber":21,"ruleName":null,"lastModified":1749511619723} {"uuid":"4b48e412-21e4-46a3-b8e4-9cda96664e56","hits":0,"ruleNumber":22,"ruleName":null,"lastModified":1749511620605} {"uuid":"d4d3f951-09c1-42b2-a38c-d3390fde56ab","hits":0,"ruleNumber":23,"ruleName":null,"lastModified":1749511621484} {"uuid":"35055d5e-86da-443c-8719-2f85a4271d43","hits":0,"ruleNumber":24,"ruleName":null,"lastModified":1749511622364} {"uuid":"59571bb0-b18f-4869-b19f-ebb3c8f51721","hits":0,"ruleNumber":25,"ruleName":null,"lastModified":1749511623204} {"uuid":"5a3d81d2-85bf-457d-a546-65c0b97e8602","hits":0,"ruleNumber":26,"ruleName":null,"lastModified":1749511624010} {"uuid":"c3ea60ca-99e1-4d46-a48f-2f664c8eda68","hits":0,"ruleNumber":27,"ruleName":null,"lastModified":1749511625185} {"uuid":"d6ce82b3-9c3b-4819-98b8-69146ee21f8f","hits":0,"ruleNumber":28,"ruleName":null,"lastModified":1749511626879} {"uuid":"91bec9e7-6df4-4d0f-8563-eb5f600c14fb","hits":9393231,"ruleNumber":29,"ruleName":null,"lastModified":1749511628953}

Here's a version to get rules older than 370 days and with 0 hits:

mgmt_cli -f json -r true show access-rulebase name "Network" details-level full show-hits true use-object-dictionary true limit 500 offset 0 | jq -c '.rulebase[]|if has("rulebase") then .rulebase[] else . end|{uuid:.uid,hits:.hits.value,ruleNumber:."rule-number",ruleName:.name,lastModified:."meta-info"."last-modify-time".posix}' | jq -c "select(.lastModified < $(date --date='-370 days' +'%s000'))|select(.hits == 0)"

In both cases, if you have more than 500 rules, you'll have to run it multiple times adjusting the offset value to get all of the rules. You will probably also need to adjust the access layer name ("Network" above).

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

HeikoAnkenbrand — Tue, 26 Aug 2025 17:17:08 GMT

@Bob_Zimmerman
Thanks for the good tip with the date of the old rules!

Technically, your statement is completely correct.

I had to smile a bit at the suggestion to run it multiple times if there are more than 500 entries. If someone really needs to delete more than 500 unused firewall rules, they should probably reconsider their security policy in the first place 😉

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

the_rock — Tue, 26 Aug 2025 17:27:54 GMT

That is SUPERB. Just ran it in my lab and it showed exact rules with 0 hits...amazing.

Andy

[Expert@CP-MANAGEMENT:0]# more delete_rules.txt
{
"number": 1,
"name": "ica mgmt tool rule",
"uid": "be01a1e1-e4ff-4463-84f3-1c7865978735"
}
{
"number": 2,
"name": "Network feed block",
"uid": "e5a96a3d-8296-4eb5-87f6-6813026ee843"
}
{
"number": 12,
"name": "stealth rule",
"uid": "1061f0d8-516f-4af3-b388-74ba735f5e44"
}
[Expert@CP-MANAGEMENT:0]#

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Bob_Zimmerman — Tue, 26 Aug 2025 19:16:56 GMT

Most of my policies are 3000+ rules with ~30% unused rules scattered throughout (stuff which got decommissioned without telling the firewall team, unnecessarily bidirectional rules, etc.). 😉 Cleanup is a headache.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

the_rock — Tue, 26 Aug 2025 19:47:04 GMT

3000+ rules? Why so many? : - )

Andy

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

JozkoMrkvicka — Tue, 26 Aug 2025 20:56:26 GMT

Back in good old times (before R8x), there was SmartDashboard feature build in by default where you were able to filter all 0 hits or disabled rules directly in rulebase 🙂 Someone just decided that such a great feature is not going to be integrated into SmartConsole, even in latest R82 version.

There is also Show Package Tool which can export rulebase with hit count data once -c parameter is set.

Or just use Export option directly in SmartConsole which exports hit count by default:

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

the_rock — Tue, 26 Aug 2025 21:12:31 GMT

It still bugs me why that feature was removed...it was so useful.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Bob_Zimmerman — Tue, 26 Aug 2025 22:49:07 GMT

Interior firewalls (tons of application-to-application rules)
Which are a decade or more old (lots of time to build up old cruft)
With a change control process which makes adding easy and removing difficult

My biggest access layer is a bit over 13,000 rules.

It's a long story, but now that we have dealt with other, higher-priority issues (like getting rid of R67, upgrading all the firewalls to R81.20 on a reasonably current jumbo, and so on), we can spend some time cleaning stuff up. I've deleted over 60,000 unused objects so far this year without even touching duplicate objects (one CMA has NINE different objects for 10.0.0.0/8, all used in different places after automated migrations from other vendors).

This is why I'm so pleased with CDT. It has made upgrades and updates simple and repeatable, freeing time to spend on cleanup.

And why I like Where Used > Replace so much. Now, when things are decommissioned, we replace them with None. Rules trend towards an empty source or destination, then they get disabled, and we have a process which cleans up rules which have been disabled for a while.

It's also why I put so much effort into my onEachFirewall script and my cluster member config diff script. The cluster members had so many little (and not-so-little) differences, like a route existing on one member but not another. The diff script warns us about problems like that before a failover leads to a partial outage. The onEachFirewall script lets me quickly do things like check whether all of the firewalls can actually reach their NTP servers, or dump all of the interfaces across the environment to see if any are accidentally at 100M.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

the_rock — Tue, 26 Aug 2025 23:10:27 GMT

13000 rules?! My only comment = no comment :=)

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Daniel_Kuhl1 — Wed, 27 Aug 2025 09:05:16 GMT

SmartOptimize offered by Check Point PS can help with rulebase cleanups. But I guess you guys are aware of it. 😊

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

the_rock — Wed, 27 Aug 2025 10:20:30 GMT

Its very good tool!

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Bob_Zimmerman — Wed, 27 Aug 2025 14:56:49 GMT

I'm aware of SmartOptimize, and I regret every time we have paid for PS to run it for us. Every single time, it has reduced the rule count, but absolutely wrecked the maintainability of the policy. As an example, one started with 40 rules each allowing clients to one or two web services with a ticket covering that access. SmartOptimize turned those into one rule allowing clients to 40+ web services with a name which no longer makes sense, and an incomprehensible jumble of tickets in the comments. The problem was only noticed months later when auditors selected a rule which had been modified like that and asked us to prove everything in it had gone through the proper change control process.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Tomer_Noy — Thu, 28 Aug 2025 07:15:01 GMT

The feature is coming back 😁

It's in the latest R82 JHF (not yet recommended take).

@Tal_Ben_Bassat wrote a great highlight post recently that included this:
https://community.checkpoint.com/t5/Management/This-Month-s-Spotlight-4-Features-You-Should-Start-Using-Today/m-p/254938

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

genisis__ — Fri, 29 Aug 2025 10:57:03 GMT

We looked at this, however from what I could see majority of what it does could be scripted. A major thing that we where hoping that it did (and it does not), is to interrogate active rules to determine what is actually in use.
From what we can see, AlgoSec or Tuffin are going to be a better option for the cost.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

genisis__ — Thu, 28 Aug 2025 07:52:47 GMT

One thing I've mentioned in Checkmates (I think), is the ability to not only identify the zero hit rules but to also export these (together with the UID) into html format that could be presented to client.
You know this anyway as I've provided you my feeble attempt at this 🙂

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Tomer_Noy — Thu, 28 Aug 2025 08:44:28 GMT

Worth mentioning that looking at active (hit) rules to see what in the rule is actually being used (hitcount per object) is something that Policy Insights does very well. It's a new Management blade that is built directly into the Management and SmartConsole.

It's definitely worth evaluating it if you are considering one of the partners just for the use-case of cleaning up or tightening your rulebase.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

the_rock — Thu, 28 Aug 2025 12:01:47 GMT

Wait a second...what caught my eye in your screenshot is why layer shows automatic...isnt this ONLY available if you enable playblocks? Because if I try this in my R82 labs with latest jumbo, it never comes up 🙂

Andy

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

Tomer_Noy — Thu, 28 Aug 2025 12:42:47 GMT

It's not dependent on Playblocks. It's just an example in the screenshot.

You do need the latest JHF - R82 take 36 or above. Note that the recommended take is still 34, so should be recommended soon.

You might also need an updated SmartConsole.

Re: Firewall - Automating Firewall Rule Cleanup Based on Usage

the_rock — Thu, 28 Aug 2025 12:46:03 GMT

I have latest smart console and everything is on R82 jumbo 36 in the lab, but that option never comes up when I search for hits. Maybe something else has to be enabled?

Andy