Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Disable/Delete Rules with a Zero Hit Count (MDS or SMS)

Jump to solution

**v3 and above now allows you to pick a specific access layer** 

**v4 added new functions thanks to user feedback. Now has the ability to navigate around section title headers and to handle of any size**

**v5 with a lot of work by Vincent Bacher‌ he determined that some larger policies need a time specified to search. This version added in a 6 month limit on hits prior to the day you run it (Today - 6Months.)**

** v6 combined MDS & SMS into a single script. Added the ability to disable or delete rules based on UID or NAME. The disable script will add a commend 'Disabled by Zero Hits'

This is a simple shell script that will allow you to parse a specific rulebase for rules with a ZERO hit count. The results will be output into a single file of mgmt_cli commands to disable or delete those rules.

The script is setup to run on the Mgmt station itself and uses the 'mgmt_cli -r true' function and uses the -d DOMAIN flag to support SMS and MDS in a single script

It is highly recommended to run the 'DISABLE' version prior to running a 'DELETE' it will treat it as a staging for full deletion

How to Use

  • Move script to the management station
  • ./cleanup-zero-hits.sh
  • Enter IP address of SMS or CMA you wish to check
  • Follow remaining prompts for options
    • uid or name
      • The script will ask if you want to export with uid or name. UID is more accurate as it does not change with position. This will prevent a situation where another admin is adding/removing rules from the rulebase before you are able to run the output file.

You can take the delete/disable command file and run it.

  • chmod 755 Output-Filename.txt
  • ./Output-Filename.txt

Original files on github: GitHub - cpmidsouth/Delete-or-Disable-Zero-Hit-Rules: This script is designed to search a specifed r... 

NOTE: If you use inline layers within the rulebase you will need to search those as a separate layer. This script is not effective in a rulebase where multiple targets within the same rulebase. I am working on that one. Thanks to Vincent Bacher‌ for being my QA and spending way too much time testing with me. 

Feedback welcome this was a simple project that came out of a client request.

Labels (2)
35 Replies
Highlighted

Found it; There are two .rulebase[] arrays. The full query should be;

mgmt_cli -r true show access-rulebase name "Internet Network" show-hits true use-object-dictionary true limit 50 -d Internet -f json | jq -r '.rulebase[] | .rulebase[] | select(.hits.value == 0) | ."rule-number"'

I'll email you the return.

0 Kudos
Highlighted
Participant

I have a stupid question simply based on looking at the code, but I think i figured it out... (as i typed this out)

How do I run the output file to disable the rules?  Isn't the output missing the Policy name to run it against?

For example:

set access-rule rule-number 10 enabled false layer

 

i am assuming i missed it in the code where the layer is actually also added to the output....

set access-rule rule-number 10 enabled false layer Mypolicy

 

0 Kudos
Collaborator
Hi,

something is going wrong...

[Expert@SMS:0]# ./cleanup-zero-hits.sh
This script will search a specific policy package for rules with a ZERO hit count.
Use with caution for deleting rules..
If for any reason you make a typo and need to exit use CTRL+C.
Press ENTER to continue

What is the IP address or Name of the Domain or SMS you want to check?
xxx.xxx.xxx.xxx

Listing Access Policy Package Names


parse error: Invalid numeric literal at line 1, column 12


Can you help?
0 Kudos
Highlighted
Participant

Hello Adam,

this is Vincent using my new account here as my old one is currently inaccessible after mail domain migration of my company.

I am wondering if you are still working on this script because i am thinking about what happens when using it on a policy containing shared layers. Did not have a try yet, first wanted to ask if you or anybody else already did so. 🙂

best regards
Vincent

0 Kudos
Highlighted
Participant

Hello Adam,

can you add a version of the script which can do a cleanup based on the comment on a Rule,

Example : Expire: 2020-07-30 

The script should match the expiry of each rule and it should able to disable if the rule after it's expiry and should delete rule after 30 days of disable time.

 

0 Kudos
Highlighted
Explorer

Hello guys!

When I try to run the script, the following error appears:

Do you want to output disable commands or delete commands?[disable/delete]
disable

Do you want to export using Rule Number or UID?
Rule Number will allow for more manual checking but UID
is more accurate if another admin could potentially be editing a policy
Please enter uid or name. [uid/name]
uid

Does Your Policy Contain Section Title Headers?[y/n]
y

Creating Disable Scripts. This may take a minute depending on Rulebase size.
seq: invalid floating point argument: null
Try 'seq --help' for more information.
sed: can't read cdf31-cdf32-Fidelity-tmp.txt: No such file or directory

can someone help me please


sed: can't read cdf31-cdf32-Fidelity-tmp.txt: No such file or directory

 

 

0 Kudos