This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hornung_c
Explorer
Explorer
‎2023-09-07 04:28 AM

Getting all Zero Hit Rules from all existing Domains in a MDSM Enviroment

Hi Folks,

 

i created a script to get all Rules with zero hits from all existing domains and want to share it with you.

You may have any ideas to add something.

 

 

#script by christoph hornung
#script for getting all 0-hit rules from all existing domains including global domain
#last change at : 2023/07/07
#chamge reason  : release of the script

#get list of all Domains and variables
FileDir=/home/scpuser/ZeroHits
domains=(`(ls $MDSDIR/customers | sed 's/1//g')`)
domCount=`echo ${#domains[*]}`


echo "Getting 0-Hit Rule Numbers from all Domains ... Please wait..."

#login in to MDS
session=`mgmt_cli --port 4434 -r true login --format json| jq -r '.sid'`

#clear or create empty file
echo "" >> $FileDir/Global.txt

#############GLOBAL POLICY ###############
echo "Getting 0-Hits from Gloabl Policy"

#login to global domain and get number of rules and uid of the global policy layer
globalSession=`mgmt_cli login-to-domain domain Global --port 4434 --session-id $session --format json | jq -r '.sid'`
globalUID=`mgmt_cli --port 4434 show access-layers --session-id $globalSession --format json | jq '."access-layers"[] | select(.name=="Network" and .domain."domain-type"=="global domain")' | grep "uid" | head -n1 | sed 's/\,//g' | sed 's/"uid"://'`
globalLimit=$(mgmt_cli --port 4434 show access-rulebase uid $globalUID --session-id $globalSession limit 1 --format json | jq '.total')
echo "0-Hit Counts from the Global Domain" > $FileDir/Global.txt
mgmt_cli --port 4434 show access-rulebase uid $globalUID --session-id $globalSession limit $globalLimit show-hits true --format json | jq '.rulebase[].rulebase[]? | select(.hits.value == 0) ' | grep -e "rule-number" | sed 's/\"//g' | sed 's/\,//g' >> $FileDir/Global.txt

echo "Done"

#############Domain Layers#################
#loop over the doamin array
for ((n=0; n<$domCount; n++))
do
        #delete old file entries
        echo "" > $FileDir/${domains[n]}.txt
        echo "Getting Zero-Hit Rules from ${domains[n]}"

        #login to domain from array
        domSession=`mgmt_cli --port 4434 --session-id $session login-to-domain domain ${domains[n]} --format json | jq -r '.sid'`

        #get layer id from Newwork Policy with domain Session
        layerID=`mgmt_cli --port 4434 show access-layers --session-id $domSession --format json | jq '."access-layers"[] | select(.name=="Network" and .domain."domain-type"=="domain")' | grep "uid" | head -n1 | sed 's/\,//g' | sed 's/"uid"://'`

        #get number of all rules
        limits=$(mgmt_cli --port 4434 show access-rulebase uid $layerID --session-id $domSession limit 1 --format json | jq '.total')

        echo "0-Hit Counts from ${domains[n]}" >> $FileDir/${domains[n]}.txt
        #get 0-hit rules !!!! the []? suppresses errors on query !!!!
        mgmt_cli --port 4434 show access-rulebase uid $layerID --session-id $domSession limit $limits show-hits true --format json | jq '.rulebase[].rulebase[]? | select(.hits.value == 0) ' | grep -e "rule-number" | sed 's/\"//g' | sed 's/\,//g' >> $FileDir/${domains[n]}.txt

        echo "${domains[n]} Done"
done

#change ownership of the output files
echo "settting scpuser rights to created files"
chown scpuser:users $FileDir/*
echo "Done"
echo "Files written to $FileDir"

 

 

 

0 Kudos
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events