Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Doe
Contributor

How often are hits counts updated in API ?

Hello all,

I'm working on a web portal to manage unused rules.

I need to get all hits counts every day.

I request my web API (R80.10) using "curl" command.

But...there is something weird (or out of my understanding) :

I check on a specific rule.

I creates 3 requests for this rule :

1. pull hits counts from 2018-09-16T00:00:00 to 2018-09-16T23:59:59 (one day). Hits value : 0

2. pull hits counts from 2018-09-17T00:00:00 to 2018-09-17T23:59:59 (one day after). Hits value : 0

3. pull hits counts from 2018-09-16T00:00:00 to 2018-09-17T23:59:59 (two days : request 1 + request 2). Hits value : 193168091

What am I missing ? My request for one day is not good ?

27 Replies
PhoneBoy
Admin
Admin

Can you provide the exact curl command you are using to do this?

0 Kudos
John_Doe
Contributor

Hello, my 3 commands are :

1. curl --insecure -XPOST "https://$ip/web_api/show-access-rulebase" --data-binary "{\"uid\": \"$uid\", \"limit\": \"1\", \"show-hits\": \"true\", \"hits-settings\" : { \"from-date\" : \"2018-09-16T00:00:00\" , \"to-date\" : \"2018-09-16T23:59:59\"}, \"offset\": \"11\"}" -H "Content-Type: application/json" -H "X-chkp-sid: $sid"

2. curl --insecure -XPOST "https://$ip/web_api/show-access-rulebase" --data-binary "{\"uid\": \"$uid\", \"limit\": \"1\", \"show-hits\": \"true\", \"hits-settings\" : { \"from-date\" : \"2018-09-17T00:00:00\" , \"to-date\" : \"2018-09-17T23:59:59\"}, \"offset\": \"11\"}" -H "Content-Type: application/json" -H "X-chkp-sid: $sid"

3. curl --insecure -XPOST "https://$ip/web_api/show-access-rulebase" --data-binary "{\"uid\": \"$uid\", \"limit\": \"1\", \"show-hits\": \"true\", \"hits-settings\" : { \"from-date\" : \"2018-09-16T00:00:00\" , \"to-date\" : \"2018-09-17T23:59:59\"}, \"offset\": \"11\"}" -H "Content-Type: application/json" -H "X-chkp-sid: $sid"

Is there something wrong ?

0 Kudos
John_Doe
Contributor

By the way, I'd like to understand what triggers a "hit count refresh" and how it is stored...

About refresh :

I read somewhere that default behaviour was to refresh every 3 hours...Where can I verify this (is it an option we can configure in the smart one ?) ? I also read that it was refreshed every time we pushed a policy (but I can't count on that).

About storage :

Is it a raw counter which is stored in the "hits value" or is it a delta between to refresh ? (Or something else ?)

If it's raw counter, once you have a value, you can never have "0 hits" (as it increments - well you can have 0 when you exceed counter's limit but it should not happen frequently), so I don't think it's a raw counter.

I just tried again for a specific rule :

1. on 09/22 (from 00:00:00 to 23:59:59) : 0 hits

2. on 09/23 (from 00:00:00 to 23:59:59) : 45974472 hits

3. from 09/22 (00:00:00) to 09/23 (23:59:59) : 213723651 hits

It's our biggest matching rule (DNS) so it's impossible to have 0 hits within a day.

Here we see that we have a value on 09/23 (on a single day), so it's possible to have a value within a day.

On 09/22 nothing was modified on our gateways (so no hits count refresh ???) - on 09/23 there were several policy push (so hits count was refreshed I think).

Any ideas ?

P.S: Sorry for my english.

0 Kudos
_Val_
Admin
Admin

I assume the real question here is when hit counters are being reset. Yes, they are reset with policy installation. 

To answer the question about where the data is stored, there are different locations on GW and MGMT, but I would not recommend to touch them unless you are trying to resolve a technical issue.

0 Kudos
John_Doe
Contributor

They are resetted with policy installation ? Are you sure ?

It seems to be the opposite behaviour in my last try :

1. on saturday no push : 0 hits

2. on sunday several pushes : 45974472 hits

And if it's resetted where can I have a trusted value ?

Until now I read all fw.log files (because we log everything), it takes some time to read all logs...but maybe it's still the most reliable way to fetch hits count ?

0 Kudos
_Val_
Admin
Admin

Yes I am positive.

Please refer to this SecureKnowledge article for more info: Hit Count debugging 

0 Kudos
John_Doe
Contributor

I read it but I don't see where a push reset "hits count". Can you tell me which paragraph explains that ?

I also verified in my *.C files, and in all my layers hit_count_cache_hit_interval is set to 180.

So I don't understand how I can have a 0 hit count during 24 hours...

0 Kudos
_Val_
Admin
Admin

it is not mentioned in the SK I have sent you. I assumed you want to troubleshoot a particular issue and provided you with the reference on how to do that. The article also mentions how and where the relevant data is being handled.

May I ask a different question. What is the issue you are trying to work on?

0 Kudos
John_Doe
Contributor

I'm creating a web interface to see all rules.

By clicking on a button, I will be able to disable all unused rules.

So I want to find a reliable way to determine whether a rule is used or not. checking daily hits count seems to be a good condition.

Since I fetch all information through web API, I would like to use web api hits count, but I'm afraid I can't trust this counter (as you can see in my previous tests). Maybe I miss something but I don't find what (and if I don't understand clearly the behaviour I will rely on my logs).

If there is an other way to determine whether a rule is used or not, I'd be glad to know it of course.

0 Kudos
_Val_
Admin
Admin

Okay, so the case is to prove the rule counter is working correctly and provides reliable information, right?

Let's reset all rule counters and start from scratch, as history of what happened before is unclear.  Use this How to reset the 'Hit Count' in R80.XX to reset the hit counters. Mind you need a reasonable time frame to collect the info for analysis

0 Kudos
John_Doe
Contributor

I'm not sure, I'll be allowed to clear it (other tools use api - I don't know how and for what purpose).

What is "a reasonable time frame" according to you ?

0 Kudos
_Val_
Admin
Admin

The data is sent up to User Space every three hours (That is your 180 marker). Then it is fetched by MGMT. Considering on how much traffic hits the rulebase and how big is that rulebase, we are talking about some days (a day). 

We are confident at Check Point that rulebase hit counter is a reliable instrument under conditions mentioned above. However, I understand that you may need to prove that. In this case, working with a lab FW where you have full control over the environment.

Also, I need to retract my statement about counters being reset with policy installation. That statement is ONLY correct for the kernel tables on the GW. The fetched info on management (I assume you use Web API with the management server) is cumulative. Sorry for this confusion, my mistake

0 Kudos
John_Doe
Contributor

Thank you for all these informations.

I don't understand this "Considering on how much traffic hits the rulebase and how big is that rulebase, we are talking about some days (a day)."

Does it mean that the refresh can happen only once per several days ? (that would be a problem for me)

I didn't mention it but Yes, evertyhing is fetched on the management server.

Thank you for the reset verification.

0 Kudos
_Val_
Admin
Admin

No, that is not what I mean. If you have a long policy and not so much traffic, a legitimate rule may be hit once in a while, that was the message. You still should see non-zero incremental numbers on each rule passing traffic.

However, new rules may lag for some times to show hits (essentially less than 3 hour old).

Another question is about how you query rules. You should use UUIDs and not absolute numbers, as admins might add and remove rules on the way. I hope you are doing that already, but worth mentioning, I guess. 

0 Kudos
John_Doe
Contributor

I'm doing all the tests on a rule hit million times per day, so I should see hits within a day.

Of course I store all my rules with their UID.

I made a new test on higher frame :

1. from 09/20 (00:00:00) to 09/21 (23:59:59) : in these 48 hours I see 78531230 hits

2. from 09/22 (00:00:00) to 09/23 (23:59:59) : in these 48 hours I see 213723651 hits

3. from 09/20 (00:00:00) to 09/23 (23:59:59) : in these 96 hours I see 313771201 hits (it's more than 1. + 2. and the difference is more than 20 millions)

0 Kudos
_Val_
Admin
Admin

what is the query here?

0 Kudos
John_Doe
Contributor

The query is :

curl --insecure -XPOST "https://$ip/web_api/show-access-rulebase" --data-binary "{\"uid\": \"$uid\", \"limit\": \"1\", \"show-hits\": \"true\", \"hits-settings\" : { \"from-date\" : \"$from\" , \"to-date\" : \"$to\"}, \"offset\": \"11\"}" -H "Content-Type: application/json" -H "X-chkp-sid: $sid"

0 Kudos
_Val_
Admin
Admin

Seems legit. Yet I would try to use it without timestamps, to query total data collected first, to see how it progresses.

0 Kudos
John_Doe
Contributor

I don't understand why pulling without timestamps first would be better ?

Still I don't get why pulling 2 times for 48 hours gives me a result different than pulling one time for 96 hours...

I've tested over several security rules and it always shows a difference (which is at least thousands of hits).

I query the management server (R80.10) which stores informations for R77.30 and R80.10 gw clusters.

For both version I have the same issue. So - unfortunately - the web api hits count is not reliable in my environment.

0 Kudos
John_Doe
Contributor

Other possibility...is there a way to refresh hits count through web api ?

0 Kudos
_Val_
Admin
Admin

How do you mean, refresh? If you want to reset it from WebUI, then now. Otherwise you should be able to see different readings with periodical queries. 

0 Kudos
John_Doe
Contributor

My question is not clear indeed : I meant forcing a new pull on gateways in order to have a hit count value for the present day. (I'm almost sure it's not possible but we never know...)

0 Kudos
_Val_
Admin
Admin

Okay. The answer is no, you cannot do that

0 Kudos
_Val_
Admin
Admin

John Doe‌ thank you for your patience. I have consulted with R&D, and they confirm your understanding: sums of two queries for two consecutive days should be equal to two days interval query.  It is not your case, and it sounds like a support issue. Please kindly open a support request with our TAC so we could get to the bottom of it and fix the issue.

Thanks again,

Val

0 Kudos
John_Doe
Contributor

Ok. Thank you for investigating on my issue. I will open a case.

Jason_Carrillo
Collaborator

John, have you been able to get any response back about this issues? I am seeing the same thing when trying to audit rule usage stats. I have rules that show zero hits for stuff that is heavily and recently used according SmartConsole.

net-harry
Collaborator

Dear John,

I am also trying to understand how the hit counters are updated. Did you get an answer from TAC?

I would also appreciate if you have any additional information about the 3 hour interval between updates and if it is possible to determine when next update will be and ideally to trigger it.

I noticed that when I hover over the hits counter it shows me the time for the first and last hit, but when I right-click on the rule number and select Hit Count -> Refresh it does not update the value.

Thanks for your help!

Harry

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events