topic show rule-hits with duplicated id rules in Spark Firewall (SMB)

show rule-hits with duplicated id rules

LuisSP — Tue, 14 Apr 2020 05:40:33 GMT

Hi everyone. I've SMB 1490 appliance with r77.20,87 Build 966.

When I run

my.firewall> show rule-hits

I get

Top Rule Hits
-------------
Rule Number Rule Hits
13 332620
6 283579
13 220694
6 69117
6 68935
13 65383
13 59987
6 50980
18 30623
5 26940
18 15382
5 13210
15 13197
15 10944
0 5905
0 5892
.....

Why do rules id appear more than once? (13, 6, 18, 15, 0 ...)
Why does rule 0 appear? What does this rule id refer to?

Re: show rule-hits with duplicated id rules

Maarten_Sjouw — Tue, 14 Apr 2020 06:27:56 GMT

Sorry, no inline on SMB

Is this unit locally or centrally managed?
Rule number 0 is for implied rules.

Re: show rule-hits with duplicated id rules

LuisSP — Tue, 14 Apr 2020 06:31:41 GMT

Thaks for you reply, but I don't have inline layers. It's SMB 1490 locally managed without capacity to such layers.

Concern rule number 0, how do I can to know what implied rules (configuration) is matching for?

Re: show rule-hits with duplicated id rules

Maarten_Sjouw — Tue, 14 Apr 2020 20:50:20 GMT

The rule 0 hits are most probably the hits for management ports (however you normally would not see these in logs) and also things like VPN setup and authentication. Things that are allowed but does not have a rule for it.

Re: show rule-hits with duplicated id rules

PhoneBoy — Tue, 14 Apr 2020 22:27:23 GMT

From what I've been able to see in TAC cases, multiple instances of a rule may refer to the different rulebases in SMB (inbound versus outbound).
Unfortunately, the platform doesn't provide a way to differentiate the hit counts currently.

Re: show rule-hits with duplicated id rules

LuisSP — Wed, 15 Apr 2020 20:01:26 GMT

Well, in fact some rules appear 4 times. It is unfortunate that I cannot have the visibility in this regard, to improve the order of the rules and with it the performance.

I appreciate your comments, thanks.