Create a Post
Showing results for 
Search instead for 
Did you mean: 
Employee Alumnus
Employee Alumnus

Log cleaning rule

One of the things that all firewall administrators should do is to create a log cleaning rule. As an example, a firewall connected to a windows networks will receive a lot of network broadcast. Those broadcast will be drop and log by default on the clean-up rule. In the long run, this results in a lost of disk space.

To remove those broadcast from the log file and save disk space, you should create a rule without log at the beginning of the rulebase:

The BROADCAST_GROUP should include all the broadcast address from all your gateways:










If you have multiple gateways, this task can become very long to do.


I've created a script to help you automate this task.


The script gets all the checkpoint gateway name and IP, connect to all of them and issue an ifconfig command then create a CSV template for the broadcast objects creation:


1-      Gets gateway name and IP from the management API and creates a CSV file

2-      Connect to each gateway from that CSV and issue ifconfig to get all the Broadcast address

3-      Creates a CSV template with all the discovered Broadcast

4-      Create and Import all broadcast objects into a group named BROADCAST_GROUP (API call)


You will automatically gets all the broadcast address from all your gateways into the groupe name BROADCAST_GROUP.


You can run the script either from the Smart Console or from SSH command line on the management server itself.


Happy Scripting 


For the full list of White Papers, go here

10 Replies

Nicolas, this is great!

Thanks for sharing.


This script is really awesome!!! 

I tried on my MDS and I had some problems but digging a little bit I found the issue. 
mdsenv "domain" is mandatory in a multi domain environment. I added it as third line and added in all mgmt_cli commands -d "domain".

Thanks a lot


Great job Nicolas!

Just one comment - the show-simple-gateways command will return only first 50 gateways by default.



I added limit 500 to override this 


Will this rule affect a DHCP server running on Gaia gateways? When a newly connected host sends dchp-request to


I would think you could still put a rule in place above the cleanup rule that specifically permits the DHCP required protocols (dhcp-request and dhcp-reply) without permitting all broadcast traffic.

Employee Alumnus
Employee Alumnus

The stealth rule will block those requests anyway. If you run the DHCP server on your gateway, you will need to add rule before the Stealth rule.


agreed but isn't there some debate about the destination or service being used in the "clean Up" rule which is what it was called previously. if you drop on the services it will drop a lot more than a destination per say. some clients don't like a clean up rule and wish to see everything!


could you show link to script ?  may be something happened with my browser , but i not see any link to script.


Hi dude,

Could you find script?


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events