- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Adam_Forester
**v3 and above now allows you to pick a specific access layer**
**v4 added new functions thanks to user feedback. Now has the ability to navigate around section title headers and to handle of any size**
**v5 with a lot of work by Vincent Bacher he determined that some larger policies need a time specified to search. This version added in a 6 month limit on hits prior to the day you run it (Today - 6Months.)**
** v6 combined MDS & SMS into a single script. Added the ability to disable or delete rules based on UID or NAME. The disable script will add a commend 'Disabled by Zero Hits'
This is a simple shell script that will allow you to parse a specific rulebase for rules with a ZERO hit count. The results will be output into a single file of mgmt_cli commands to disable or delete those rules.
The script is setup to run on the Mgmt station itself and uses the 'mgmt_cli -r true' function and uses the -d DOMAIN flag to support SMS and MDS in a single script
It is highly recommended to run the 'DISABLE' version prior to running a 'DELETE' it will treat it as a staging for full deletion
You can take the delete/disable command file and run it.
Original files on github: GitHub - cpmidsouth/Delete-or-Disable-Zero-Hit-Rules: This script is designed to search a specifed r...
NOTE: If you use inline layers within the rulebase you will need to search those as a separate layer. This script is not effective in a rulebase where multiple targets within the same rulebase. I am working on that one. Thanks to Vincent Bacher for being my QA and spending way too much time testing with me.
Feedback welcome this was a simple project that came out of a client request.
Adam_Forester
Can you send me an email with your raw json? aforeste@checkpoint.com
I'll take a look at it and see what's up.
Sent. Thanks.
Adam_Forester
Found it; There are two .rulebase[] arrays. The full query should be;
mgmt_cli -r true show access-rulebase name "Internet Network" show-hits true use-object-dictionary true limit 50 -d Internet -f json | jq -r '.rulebase[] | .rulebase[] | select(.hits.value == 0) | ."rule-number"'
I'll email you the return.
I have a stupid question simply based on looking at the code, but I think i figured it out... (as i typed this out)
How do I run the output file to disable the rules? Isn't the output missing the Policy name to run it against?
For example:
set access-rule rule-number 10 enabled false layer
i am assuming i missed it in the code where the layer is actually also added to the output....
set access-rule rule-number 10 enabled false layer Mypolicy
Hello Adam,
this is Vincent using my new account here as my old one is currently inaccessible after mail domain migration of my company.
I am wondering if you are still working on this script because i am thinking about what happens when using it on a policy containing shared layers. Did not have a try yet, first wanted to ask if you or anybody else already did so. 🙂
best regards
Vincent
Hello Adam,
can you add a version of the script which can do a cleanup based on the comment on a Rule,
Example : Expire: 2020-07-30
The script should match the expiry of each rule and it should able to disable if the rule after it's expiry and should delete rule after 30 days of disable time.
Hello guys!
When I try to run the script, the following error appears:
Do you want to output disable commands or delete commands?[disable/delete]
disable
Do you want to export using Rule Number or UID?
Rule Number will allow for more manual checking but UID
is more accurate if another admin could potentially be editing a policy
Please enter uid or name. [uid/name]
uid
Does Your Policy Contain Section Title Headers?[y/n]
y
Creating Disable Scripts. This may take a minute depending on Rulebase size.
seq: invalid floating point argument: null
Try 'seq --help' for more information.
sed: can't read cdf31-cdf32-Fidelity-tmp.txt: No such file or directory
can someone help me please
sed: can't read cdf31-cdf32-Fidelity-tmp.txt: No such file or directory
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
