Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
m2kujawa
Participant

Hit count mismatch

Hi,

I'm trying to pull hit count for each rule in a policy using API command but there is a mismatch between what's shown in Smart Console and the output of the API command. Could someone please explain where the mismatch is coming from, or what I do incorrectly?

Some more details -There are 2 rules in my lab setup, the first one is showing 44 hits, and the cleanup rule shows 4k hits. However, when I run the API command to see the rulebase, hits value on each rule is 0.

Attached screenshot with hit count from Smart Console and below is the API command I ran and its the output.

 

 

[Expert@Check_Point_R81_SMS:0]# mgmt_cli show access-rulebase name "Network" show-hits "True" --format json
Username: admin
Password:
{
"uid" : "f5cec687-05e5-4573-b1dc-08119f24cbc9",
"name" : "Network",
"rulebase" : [ {
"uid" : "82062c9a-1099-4f3d-918e-25603854d236",
"name" : "Access to SMS and SG",
"type" : "access-rule",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"rule-number" : 1,
"track" : {
"type" : "598ead32-aa42-4615-90ed-f51a5928d41d",
"per-session" : false,
"per-connection" : true,
"accounting" : false,
"enable-firewall-session" : false,
"alert" : "none"
},
"source" : [ "0bc5427d-8710-46b3-8893-d5e3ccc303d8" ],
"source-negate" : false,
"destination" : [ "90b6263c-cbd7-964a-9b9e-b67f29873a79", "4e881b81-e941-474b-a7a4-2cdd9fa997b1" ],
"destination-negate" : false,
"service" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"service-negate" : false,
"vpn" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"action" : "6c488338-8eec-4103-ad21-cd461ac2c472",
"action-settings" : {
"enable-identity-captive-portal" : false
},
"content" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"content-negate" : false,
"content-direction" : "any",
"time" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"hits" : {
"percentage" : "0%",
"level" : "zero",
"value" : 0
},
"custom-fields" : {
"field-1" : "",
"field-2" : "",
"field-3" : ""
},
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1616299109471,
"iso-8601" : "2021-03-21T03:58+0000"
},
"last-modifier" : "admin",
"creation-time" : {
"posix" : 1616295963413,
"iso-8601" : "2021-03-21T03:06+0000"
},
"creator" : "admin"
},
"comments" : "",
"enabled" : true,
"install-on" : [ "6c488338-8eec-4103-ad21-cd461ac2c476" ]
}, {
"uid" : "53fcfdbf-9053-45c6-93ae-c8ab4c442798",
"name" : "Cleanup rule",
"type" : "access-rule",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"rule-number" : 2,
"track" : {
"type" : "598ead32-aa42-4615-90ed-f51a5928d41d",
"per-session" : false,
"per-connection" : true,
"accounting" : false,
"enable-firewall-session" : false,
"alert" : "none"
},
"source" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"source-negate" : false,
"destination" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"destination-negate" : false,
"service" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"service-negate" : false,
"vpn" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"action" : "6c488338-8eec-4103-ad21-cd461ac2c473",
"action-settings" : { },
"content" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"content-negate" : false,
"content-direction" : "any",
"time" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"hits" : {
"percentage" : "0%",
"level" : "zero",
"value" : 0
},
"custom-fields" : {
"field-1" : "",
"field-2" : "",
"field-3" : ""
},
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1616299111286,
"iso-8601" : "2021-03-21T03:58+0000"
},
"last-modifier" : "admin",
"creation-time" : {
"posix" : 1603000865309,
"iso-8601" : "2020-10-18T07:01+0100"
},
"creator" : "System"
},
"comments" : "",
"enabled" : true,
"install-on" : [ "6c488338-8eec-4103-ad21-cd461ac2c476" ]
} ],
"objects-dictionary" : [ {
"uid" : "6c488338-8eec-4103-ad21-cd461ac2c472",
"name" : "Accept",
"type" : "RulebaseAction",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "97aeb369-9aea-11d5-bd16-0090272ccb30",
"name" : "Any",
"type" : "CpmiAnyObject",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "4e881b81-e941-474b-a7a4-2cdd9fa997b1",
"name" : "Check_Point_R81_SG",
"type" : "simple-gateway",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
}
}, {
"uid" : "90b6263c-cbd7-964a-9b9e-b67f29873a79",
"name" : "Check_Point_R81_SMS",
"type" : "checkpoint-host",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
}
}, {
"uid" : "6c488338-8eec-4103-ad21-cd461ac2c473",
"name" : "Drop",
"type" : "RulebaseAction",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "598ead32-aa42-4615-90ed-f51a5928d41d",
"name" : "Log",
"type" : "Track",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "0bc5427d-8710-46b3-8893-d5e3ccc303d8",
"name" : "MKUJ_PC",
"type" : "host",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"ipv4-address" : "192.168.10.1"
}, {
"uid" : "6c488338-8eec-4103-ad21-cd461ac2c476",
"name" : "Policy Targets",
"type" : "Global",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
} ],
"from" : 1,
"to" : 2,
"total" : 2
}
[Expert@Check_Point_R81_SMS:0]#

0 Kudos
8 Replies
Bob_Zimmerman
Advisor

Maybe try with lowercase 't' in "true"? In an API tool I'm working on, this is the exact body I use in a request for rule information:

["uid":id.uuidString,
"use-object-dictionary":"false",
"show-hits":"true",
"details-level":"full",
"limit":limit,
"offset":offset]

I then use my language's JSON serializer which maintains case to convert that list into a JSON object for my request.

I definitely get hit data from my development SmartCenter using that request body.

0 Kudos
m2kujawa
Participant

Hi Bob,
Thanks for the quick reply.

I've tried 4 different variations ("True", "true", True, true), and none of them raise an error for invalid input. Also, all of them cause the hit count section to be displayed in the output. Unfortunately, it doesn't matter which option I use, hit count displayed in CLI is always 0.

I've also noticed another strange thing, when I put the cursor over hit count in Smart Console, even though I can see the number of hits on each rule, and logs on the bottom that confirm I get hits, it says 'Zero Hit Count Level' (see attached).

0 Kudos
PhoneBoy
Admin
Admin

I recommend a TAC case here.

0 Kudos
m2kujawa
Participant

Thank you for the suggestion. 

It's my private setup using an evaluation licence that I use for training, and I'm not a Checkpoint customer. Can I still raise a TAC case?

0 Kudos
PhoneBoy
Admin
Admin

You probably can't do that without a support agreement in place.
That said maybe @Omer_Kleinstern can confirm if this is a known bug or not.
What JHF are you running on R81?

m2kujawa
Participant

It's a fresh install of R81. Please find the output below for details.

 

[Expert@Check_Point_R81_SMS:0]# cpinfo -y all

This is Check Point CPinfo Build 914000214 for GAIA
[IDA]
No hotfixes..

[MGMT]
No hotfixes..

[CPFC]
No hotfixes..

[FW1]
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81 - Build 287
This is Check Point's software version R81 - Build 959

[SecurePlatform]
No hotfixes..

[CPinfo]
No hotfixes..

[AutoUpdater]
No hotfixes..

[DIAG]
No hotfixes..

[Reporting Module]
No hotfixes..

[CPuepm]
No hotfixes..

[VSEC]
No hotfixes..

[SmartLog]
No hotfixes..

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[SFWR80CMP]
No hotfixes..

[R77CMP]
No hotfixes..

[R8040CMP]
No hotfixes..

[R75CMP]
No hotfixes..

[FLICMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPUpdates]
BUNDLE_DC_CONTENT_AUTOUPDATE Take: 9
BUNDLE_GOT_MGMT_AUTOUPDATE Take: 71
BUNDLE_DC_INFRA_AUTOUPDATE Take: 20
BUNDLE_GOT_TPCONF_MGMT_AUTOUPDATE Take: 30


[Expert@Check_Point_R81_SMS:0]#

0 Kudos
Omer_Kleinstern
Employee
Employee

Hi @m2kujawa 

There in a known limitation in the returned hit count data when the time range is less than 24 hours (sk166717, PMTR-54350).

Can you try to add hits-settings with more than the last 24 hours?

 

Thanks,

Omer

m2kujawa
Participant

Hi @Omer_Kleinstern,

Thanks, that's good to know. I've tried to query rulebase with a hit count older than the last 24 hours and it worked just fine.

0 Kudos