This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adam_Forester
Ambassador
Ambassador
‎2018-02-17 08:48 AM
Jump to solution

Disable/Delete Rules with a Zero Hit Count (MDS or SMS)

**v3 and above now allows you to pick a specific access layer** 

**v4 added new functions thanks to user feedback. Now has the ability to navigate around section title headers and to handle of any size**

**v5 with a lot of work by Vincent Bacher‌ he determined that some larger policies need a time specified to search. This version added in a 6 month limit on hits prior to the day you run it (Today - 6Months.)**

** v6 combined MDS & SMS into a single script. Added the ability to disable or delete rules based on UID or NAME. The disable script will add a commend 'Disabled by Zero Hits'

This is a simple shell script that will allow you to parse a specific rulebase for rules with a ZERO hit count. The results will be output into a single file of mgmt_cli commands to disable or delete those rules.

The script is setup to run on the Mgmt station itself and uses the 'mgmt_cli -r true' function and uses the -d DOMAIN flag to support SMS and MDS in a single script

It is highly recommended to run the 'DISABLE' version prior to running a 'DELETE' it will treat it as a staging for full deletion

How to Use

  • Move script to the management station
  • ./cleanup-zero-hits.sh
  • Enter IP address of SMS or CMA you wish to check
  • Follow remaining prompts for options
    • uid or name
      • The script will ask if you want to export with uid or name. UID is more accurate as it does not change with position. This will prevent a situation where another admin is adding/removing rules from the rulebase before you are able to run the output file.

You can take the delete/disable command file and run it.

  • chmod 755 Output-Filename.txt
  • ./Output-Filename.txt

Original files on github: GitHub - cpmidsouth/Delete-or-Disable-Zero-Hit-Rules: This script is designed to search a specifed r... 

NOTE: If you use inline layers within the rulebase you will need to search those as a separate layer. This script is not effective in a rulebase where multiple targets within the same rulebase. I am working on that one. Thanks to Vincent Bacher‌ for being my QA and spending way too much time testing with me. 

Feedback welcome this was a simple project that came out of a client request.

Labels
Preview file
10 KB
37 Replies
Adam_Forester
Ambassador
Ambassador
‎2019-02-25 12:20 PM
Jump to solution

Can you send me an email with your raw json? aforeste@checkpoint.com

I'll take a look at it and see what's up.

0 Kudos
Jin_Zhou
Contributor
‎2019-02-25 02:38 PM
Jump to solution

Sent. Thanks.

0 Kudos
Adam_Forester
Ambassador
Ambassador
‎2019-02-25 03:41 PM
Jump to solution

Found it; There are two .rulebase[] arrays. The full query should be;

mgmt_cli -r true show access-rulebase name "Internet Network" show-hits true use-object-dictionary true limit 50 -d Internet -f json | jq -r '.rulebase[] | .rulebase[] | select(.hits.value == 0) | ."rule-number"'

I'll email you the return.

0 Kudos
Jason_Rakers
Participant
‎2019-04-04 02:52 PM
Jump to solution

I have a stupid question simply based on looking at the code, but I think i figured it out... (as i typed this out)

How do I run the output file to disable the rules?  Isn't the output missing the Policy name to run it against?

For example:

set access-rule rule-number 10 enabled false layer

 

i am assuming i missed it in the code where the layer is actually also added to the output....

set access-rule rule-number 10 enabled false layer Mypolicy

 

0 Kudos
Daniel_Hainich
Collaborator
‎2019-08-11 11:37 PM
In response to Jason_Rakers
Jump to solution

Hi,

something is going wrong...

[Expert@SMS:0]# ./cleanup-zero-hits.sh
This script will search a specific policy package for rules with a ZERO hit count.
Use with caution for deleting rules..
If for any reason you make a typo and need to exit use CTRL+C.
Press ENTER to continue

What is the IP address or Name of the Domain or SMS you want to check?
xxx.xxx.xxx.xxx

Listing Access Policy Package Names


parse error: Invalid numeric literal at line 1, column 12


Can you help?
0 Kudos
VincentBacher
Participant
‎2020-02-23 11:15 PM
Jump to solution

Hello Adam,

this is Vincent using my new account here as my old one is currently inaccessible after mail domain migration of my company.

I am wondering if you are still working on this script because i am thinking about what happens when using it on a policy containing shared layers. Did not have a try yet, first wanted to ask if you or anybody else already did so. 🙂

best regards
Vincent

0 Kudos
Prashant_YADAV1
Contributor
‎2020-07-30 01:07 AM
Jump to solution

Hello Adam,

can you add a version of the script which can do a cleanup based on the comment on a Rule,

Example : Expire: 2020-07-30 

The script should match the expiry of each rule and it should able to disable if the rule after it's expiry and should delete rule after 30 days of disable time.

 

0 Kudos
Attiq786
Participant
‎2022-02-07 06:23 AM
Jump to solution

Hi Adam,

i am running the script and although policy layer names are identified properly in the policy package, when i select the access layer, it always says "There are null rules in Security"  when Security is my access layer network policy name.

Any suggestions please?

 

Regards

 

Attiq

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events