This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nicolas_Boisse
Employee Alumnus
Employee Alumnus
‎2017-08-31 06:47 AM

Log cleaning rule

One of the things that all firewall administrators should do is to create a log cleaning rule. As an example, a firewall connected to a windows networks will receive a lot of network broadcast. Those broadcast will be drop and log by default on the clean-up rule. In the long run, this results in a lost of disk space.

To remove those broadcast from the log file and save disk space, you should create a rule without log at the beginning of the rulebase:

The BROADCAST_GROUP should include all the broadcast address from all your gateways:

 

 

 

 

 

 

 

 

 

If you have multiple gateways, this task can become very long to do.

 

I've created a script to help you automate this task.

 

The script gets all the checkpoint gateway name and IP, connect to all of them and issue an ifconfig command then create a CSV template for the broadcast objects creation:

 

1-      Gets gateway name and IP from the management API and creates a CSV file

2-      Connect to each gateway from that CSV and issue ifconfig to get all the Broadcast address

3-      Creates a CSV template with all the discovered Broadcast

4-      Create and Import all broadcast objects into a group named BROADCAST_GROUP (API call)

 

You will automatically gets all the broadcast address from all your gateways into the groupe name BROADCAST_GROUP.

 

You can run the script either from the Smart Console or from SSH command line on the management server itself.

 

Happy Scripting 

 

For the full list of White Papers, go here

10 Replies
PhoneBoy
Admin
Admin
‎2017-09-01 10:32 AM

Nicolas, this is great!

Thanks for sharing.

Claudio_Bolcato
Contributor
‎2018-06-13 12:47 AM

This script is really awesome!!! 

I tried on my MDS and I had some problems but digging a little bit I found the issue. 
mdsenv "domain" is mandatory in a multi domain environment. I added it as third line and added in all mgmt_cli commands -d "domain".

Thanks a lot

Robert_Decker
Advisor
‎2018-06-13 02:25 AM

Great job Nicolas!

Just one comment - the show-simple-gateways command will return only first 50 gateways by default.

Robert.

Claudio_Bolcato
Contributor
‎2018-06-13 02:53 AM

I added limit 500 to override this 

ED
Advisor
‎2018-06-28 12:40 AM

Will this rule affect a DHCP server running on Gaia gateways? When a newly connected host sends dchp-request to 255.255.255.255.

Burton_Peake
Participant
‎2018-08-07 05:47 AM

I would think you could still put a rule in place above the cleanup rule that specifically permits the DHCP required protocols (dhcp-request and dhcp-reply) without permitting all broadcast traffic.

Nicolas_Boisse
Employee Alumnus
Employee Alumnus
‎2018-08-09 11:54 AM

The stealth rule will block those requests anyway. If you run the DHCP server on your gateway, you will need to add rule before the Stealth rule.

Paul_Wetton
Explorer
‎2019-05-15 07:39 AM

agreed but isn't there some debate about the destination or service being used in the "clean Up" rule which is what it was called previously. if you drop on the services it will drop a lot more than a destination per say. some clients don't like a clean up rule and wish to see everything!
Yury_Anoshyn
Participant
‎2020-04-09 12:45 AM

Hello, 

could you show link to script ?  may be something happened with my browser , but i not see any link to script.

Feridun_ÖZTOK
Contributor
‎2021-12-30 10:24 AM
In response to Yury_Anoshyn

Hi dude,

Could you find script?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top