Solved: Re: Disable/Delete Rules with a Zero Hit Count (MD... - Page 2

Adam_Forester · ‎2018-02-17

**v3 and above now allows you to pick a specific access layer**

**v4 added new functions thanks to user feedback. Now has the ability to navigate around section title headers and to handle of any size**

**v5 with a lot of work by Vincent Bacher‌ he determined that some larger policies need a time specified to search. This version added in a 6 month limit on hits prior to the day you run it (Today - 6Months.)**

** v6 combined MDS & SMS into a single script. Added the ability to disable or delete rules based on UID or NAME. The disable script will add a commend 'Disabled by Zero Hits'

This is a simple shell script that will allow you to parse a specific rulebase for rules with a ZERO hit count. The results will be output into a single file of mgmt_cli commands to disable or delete those rules.

The script is setup to run on the Mgmt station itself and uses the 'mgmt_cli -r true' function and uses the -d DOMAIN flag to support SMS and MDS in a single script

It is highly recommended to run the 'DISABLE' version prior to running a 'DELETE' it will treat it as a staging for full deletion

How to Use

Move script to the management station
./cleanup-zero-hits.sh
Enter IP address of SMS or CMA you wish to check
Follow remaining prompts for options
- uid or name
  - The script will ask if you want to export with uid or name. UID is more accurate as it does not change with position. This will prevent a situation where another admin is adding/removing rules from the rulebase before you are able to run the output file.

You can take the delete/disable command file and run it.

chmod 755 Output-Filename.txt
./Output-Filename.txt

Original files on github: GitHub - cpmidsouth/Delete-or-Disable-Zero-Hit-Rules: This script is designed to search a specifed r...

NOTE: If you use inline layers within the rulebase you will need to search those as a separate layer. This script is not effective in a rulebase where multiple targets within the same rulebase. I am working on that one. Thanks to Vincent Bacher‌ for being my QA and spending way too much time testing with me.

Feedback welcome this was a simple project that came out of a client request.

Adam_Forester · ‎2019-02-25

Can you send me an email with your raw json? aforeste@checkpoint.com

I'll take a look at it and see what's up.

Jin_Zhou · ‎2019-02-25

Sent. Thanks.

Adam_Forester · ‎2019-02-25

Found it; There are two .rulebase[] arrays. The full query should be;

mgmt_cli -r true show access-rulebase name "Internet Network" show-hits true use-object-dictionary true limit 50 -d Internet -f json | jq -r '.rulebase[] | .rulebase[] | select(.hits.value == 0) | ."rule-number"'

I'll email you the return.

Jason_Rakers · ‎2019-04-04

I have a stupid question simply based on looking at the code, but I think i figured it out... (as i typed this out)

How do I run the output file to disable the rules? Isn't the output missing the Policy name to run it against?

For example:

set access-rule rule-number 10 enabled false layer

i am assuming i missed it in the code where the layer is actually also added to the output....

set access-rule rule-number 10 enabled false layer Mypolicy

Daniel_Hainich · ‎2019-08-11

Hi,

something is going wrong...

[Expert@SMS:0]# ./cleanup-zero-hits.sh
This script will search a specific policy package for rules with a ZERO hit count.
Use with caution for deleting rules..
If for any reason you make a typo and need to exit use CTRL+C.
Press ENTER to continue

What is the IP address or Name of the Domain or SMS you want to check?
xxx.xxx.xxx.xxx

Listing Access Policy Package Names

parse error: Invalid numeric literal at line 1, column 12

Can you help?

VincentBacher · ‎2020-02-23

Hello Adam,

this is Vincent using my new account here as my old one is currently inaccessible after mail domain migration of my company.

I am wondering if you are still working on this script because i am thinking about what happens when using it on a policy containing shared layers. Did not have a try yet, first wanted to ask if you or anybody else already did so. 🙂

best regards
Vincent

Prashant_YADAV1 · ‎2020-07-30

Hello Adam,

can you add a version of the script which can do a cleanup based on the comment on a Rule,

Example : Expire: 2020-07-30

The script should match the expiry of each rule and it should able to disable if the rule after it's expiry and should delete rule after 30 days of disable time.

Attiq786 · ‎2022-02-07

Hi Adam,

i am running the script and although policy layer names are identified properly in the policy package, when i select the access layer, it always says "There are null rules in Security" when Security is my access layer network policy name.

Any suggestions please?

Regards

Attiq

genisis__ · ‎2025-03-15

Could this be modified to export all rules with zero hits, and also disabled rules into human readable format in a html file?

So in affect we have output where we can present for deletion consideration, and then another file which would have the commands to delete (which the current script does)?
I've had a go myself but failed miserable as I'm not a coder. I can login to the SMS, get the rules, and but I try to get the data into a html file and formatted it just does not do it.

Are you a member of CheckMates?

Disable/Delete Rules with a Zero Hit Count (MDS or SMS)

How to Use