Awesome. Also I'm glad that you managed to workaround a customer's request by yourself. Imagine what you had to do if we didn't have this

Tomer, I've now updated it to list out the Access Layers and allow the users to pick instead of just assuming the addition of Network. This should allow it to work for all packages upgraded or not.

Great job!

Hi Adam,

nice useful script, good job.

One question:

I have just tested the script but unfortunately get no result, that means the utput file is empty.

Started the script:

./delete-zero-hits-rulenumber-v3.sh
This script will search a specific policy package for rules with a ZERO hit count.
Use with caution for deleting rules..
If for any reason you make a typo and need to exit use CTRL+C.
Press ENTER  to continue
Listing Access Policy Package Names.
Applications
************-FW-POLICY Network
What is the Policy Package Name?

I tried the policy Name with or without "Network"

************-FW-POLICY Network

************-FW-POLICY

With or without quotation marks. Output file is always empty. Hopefully i find some time to have a look into the script and at the mgmt_cli commands.
Cheers

Vincent

Interesting Vincent. Is it possible you don't have rules with a zero hit count? This is tested on 80.10.

I'm going to have you run the raw command to look for the output;

mgmt_cli -r true show access-rulebase name "************-FW-POLICY Network" details-level "standard" use-object-dictionary true show-hits true --format json | jq --raw-output '.rulebase[] | select(.hits.value == 0)'

See what that outputs. If it's nothing then run this;

mgmt_cli -r true show access-rulebase name "************-FW-POLICY Network" details-level "standard" use-object-dictionary true show-hits true --format json | jq --raw-output '.rulebase[]'

Then look for the output of each rule and the hits value;  which should look like the below (I formatted the text you would look for)

"rule-number": 1,

  "track": {

    "type": "598ead32-aa42-4615-90ed-f51a5928d41d",

    "per-session": false,

    "per-connection": true,

    "accounting": false,

    "alert": "none"

  },

  "source": [

    "97aeb369-9aea-11d5-bd16-0090272ccb30"

  ],

  "source-negate": false,

  "destination": [

    "97aeb369-9aea-11d5-bd16-0090272ccb30"

  ],

  "destination-negate": false,

  "service": [

    "97aeb470-9aea-11d5-bd16-0090272ccb30"

  ],

  "service-negate": false,

  "vpn": [

    "97aeb369-9aea-11d5-bd16-0090272ccb30"

  ],

  "action": "6c488338-8eec-4103-ad21-cd461ac2c472",

  "action-settings": {

    "enable-identity-captive-portal": false

  },

  "content": [

    "97aeb369-9aea-11d5-bd16-0090272ccb30"

  ],

  "content-negate": false,

  "content-direction": "any",

  "time": [

    "97aeb369-9aea-11d5-bd16-0090272ccb30"

  ],

  "hits": {

    "percentage": "1%",

    "level": "low",

    "value": 24946,

    "first-date": {

      "posix": 1518945364000,

      "iso-8601": "2018-02-18T03:16-0600"

    },

    "last-date": {

      "posix": 1527527490000,

      "iso-8601": "2018-05-28T12:11-0500"

    }

  },

  "custom-fields": {

    "field-1": "",

    "field-2": "",

    "field-3": ""

  },

  "meta-info": {

    "lock": "unlocked",

    "validation-state": "ok",

    "last-modify-time": {

      "posix": 1497028032827,

      "iso-8601": "2017-06-09T12:07-0500"

    },

    "last-modifier": "admin",

    "creation-time": {

      "posix": 1497028010878,

      "iso-8601": "2017-06-09T12:06-0500"

    },

    "creator": "admin"

  },

  "comments": "",

  "enabled": true,

  "install-on": [

    "6c488338-8eec-4103-ad21-cd461ac2c476"

  ]

}

{

  "uid": "b11cd15c-f55b-4450-8f96-09ccda45f1bc",

  "type": "access-rule",

  "domain": {

    "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",

    "name": "SMC User",

    "domain-type": "domain"

  },

Hi Adam, 

in fact I have rules with zero hitcount. Did not have time yet to try running the raw commands, will do that tomorrow.

Cheers 

Vincent 

Sounds good. I’ll be interested to see. I’m going to send you my check Point email as well so we can work offline and report back

I had another thought... run the UID version of the script and check it’s output as well. 

Did not receive your mail 😉

Just ran the commands you suggested manually:

# mgmt_cli -r true show access-rulebase name "*******-INT-FW-POLICY Network" details-level "standard" use-object-dictionary true show-hits true --format json | jq --raw-output '.rulebase[] | select(.hits.value == 0)'

--> nothing

running:

mgmt_cli -r true show access-rulebase name "********-INT-FW-POLICY Network" details-level "standard" use-object-dictionary true show-hits true --format json | jq --raw-output '.rulebase[]'

Shows a list of round about 50 no-hits rules. Should be correct amount.

So question is why select(.hits.value == 0)' has no match

Empty as well.

Wanted to drop a note here as well for anyone following along. Vincent's testing helped me determine a few things that I did not test in my lab;

1. The original script was not setup to handle section title headers. *RESOLVED*

2. I was unaware of a the default limit of "50" being used. This was causing the script to only search the first 50 rules of a rulebase. This was not an issue in my lab as I was only testing with 25. I've since expanded the script to determine the rule count and to loop until it searches all rules. *RESOLVED*

3. The script does not take into account a rulebase that has multiple targets in it. *WORKING TOWARDS RESOLUTION*

Tomer Sole

if you want to be extra awesome you can try multi-domain policies...

Like this? https://community.checkpoint.com/docs/DOC-2813 

Now im still working on updating that one to take the limit into account. Should be done tonight or tomorrow. 

Hi Adam,

please take a look at our Management API Python SDK on GitHub - 

https://github.com/CheckPointSW/cp_mgmt_api_python_sdk/blob/master/lib/mgmt_api.py

and go the the method called "api_query" on line 318.

this method shows how to query ALL objects, bypassing 50 objects limit.

Robert.

Hello

Its possible change the action of this script from DELETE HitCount zero Rule to DISABLE RULE ? And Put one comment to identification of rule after script execution ?

Thank you 

Thanks Robert. I’ll be honest I do t speak python all that well, I’m an old basher. 🙂 but I do need to expand and learn it. 

I was able to achieve the limit in bash by doing a total then setting my limit to 500 but looping the offset in a seq with it incrementing by 500 until it hits $total. 

Luciano Miguel‌ sure can. Sorry for posting it here fully but I’m traveling and did this from my cell phone and couldn’t upload a file. Was able to test on my sms and confirmed it worked out just fine. Just copy and paste the below. It will make it where you can disable the rules and adds a Comment that says “disabled by API Zero Hits

today="$(date +%Y-%m-%d)"

from="$(date --date="6 months ago" +%Y-%m-%d)"

timestamp="$(date +%Y-%m-%d-%H-%M-%S)"

printf  "This script will search a specific policy package for rules with a ZERO hit count.\nUse with caution for deleting rules..\nIf for any reason you make a typo and need to exit use CTRL+C.\nPress ENTER  to continue"

read ANYKEY

printf "\nListing Access Policy Package Names\n"

mgmt_cli -r true show access-layers limit 500 --format json | jq --raw-output '."access-layers"[] | (.name)'

printf "\nWhat is the Policy Package Name?\n"

read POL_NAME

POL2=$(echo $POL_NAME | tr -d ' ')

printf "\nDetermining Rulesbase Size\n"

total=$(mgmt_cli -r true show access-rulebase name "$POL_NAME" --format json |jq '.total')

printf "There are $total rules in $POL_NAME\n"

printf "\nDoes Your Policy Contain Section Title Headers?[y/n]\n"

read SECHEAD

if [ "$SECHEAD" = "y" ]; then

printf "\nCreating Deletion Scripts. This may take a minute depending on Rulebase size.\n"

for I in $(seq 0 500 $total)

do

 mgmt_cli -r true show access-rulebase name "$POL_NAME" details-level "standard" offset $I limit 500 use-object-dictionary true show-hits true hits-settings.from-date $from hits-settings.to-date $today --format json | jq --raw-output --arg RBN "$POL_NAME" '.rulebase[] | .rulebase[] | select(.hits.value == 0) | ("mgmt_cli -r true set access-rule uid  " + (.uid|tostring) + " enabled false layer")' >> $POL2-tmp.txt

done

elif [ "$SECHEAD" = "n" ]; then

printf "\nCreating Deletion Scripts. This may take a minute depending on Rulebase size.\n"

for I in $(seq 0 500 $total)

do

 mgmt_cli -r true show access-rulebase name "$POL_NAME" details-level "standard" offset $I limit 500 use-object-dictionary true show-hits true hits-settings.from-date $from hits-settings.to-date $today --format json | jq --raw-output --arg RBN "$POL_NAME" '.rulebase[] | select(.hits.value == 0) | ("mgmt_cli -r true set access-rule uid " + (.uid|tostring) + " enabled false layer")' >> $POL2-tmp.txt

done

fi

sed "s,$, '$POL_NAME' comments ‘disabled by API Zero Hit’," $POL2-tmp.txt > $POL2-delete-unused.txt; rm *tmp.txt

printf "\nDelete commands for zero hit count rules are now located in $POL2-delete-unused.txt\n"

Watch out for weird returns when you copy and paste. 🙂 cheers!

Adam Thank you , I will test .

Thank you. Great work!

Hi Adam,

Could you explain me this syntax? 

"mgmt_cli -r true set access-rule uid " + (.uid|tostring) + " enabled false layer"

Is this disable the rule?

Thank you for your support. 

Simon,

thanks for the message. Yes the "enabled false" is to disable. the rest is built around building a full command with jq

I am not sure if the thread is too old. But I am running into thesame issue that select(.hits.value == 0) returns nothing while it actually supposed to have 31 rules with zero hit count. Here is my situation. The following command returns 31,

mgmt_cli -r true show access-rulebase name "Internet Network" show-hits true use-object-dictionary true limit 50 offset 0 -d Internet -f json | jq -r '.rulebase[] ' |grep "\"value\": 0" | wc –l

while this command returns nothing.

mgmt_cli -r true show access-rulebase name "Internet Network" show-hits true use-object-dictionary true limit 50 -d Internet -f json | jq -r '.rulebase[] | select(.hits.value == 0) '

Any idea?