This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AleLovaz82
Collaborator
‎2023-02-06 07:05 AM

extract all the zero hit count policies and add a prefix name to them

Hi

I've a lot of rules and rulebase with almonst the 35% of policies with zero hit ,but before deleting I need to be extra-sure that there is not traffic.

My ( maybe bad ) idea is to add a prefix in zero count policy name like "CHECK 06022023" and then check them in a month or two to be sure that they are not matching any traffic before disabling them.
I need some help to extract all the policy that have zero hit count at the moment ,and then add a sort of prefix into the column "name"

I can't do it manually because we are talking abount 40 policy package for over 10000 policies 😞

Any idea? thx in advance!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-02-06 07:31 AM

Here's a script that will help you find the Zero Hit Count rules and either disable or delete them:
https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MD... 
To add a prefix or similar, you'd have to modify the script.

0 Kudos
AleLovaz82
Collaborator
‎2023-02-06 07:52 AM
In response to PhoneBoy

thx ,i'll give a look this evening,
for the moment i've extracted all the policies into a .csv file and then sorted by hits = "zero" and with some cut and paste i've prepared a batch/bulk file for mgmt_cli
mgmt_cli -r true -d x.y.z.w. set access-rule -b bulkfile.txt

It works like a charm but it required some work with Vi and Excel.

Thx for now 🙂

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2023-02-06 10:29 PM

My suggestion is to check not only rules with 0 hits, but also when the specific rule was last modified/created. It can happen that the rule has 0 hits, but someone modified the rule like 4 days ago. Or just created brand new rule recently.

When the rule was created or modified can be checked over API.

Then i would add condition to check rules with 0 hits, which were not modified in XY months. You will be 100% sure these rules were not touched and are not used at all.

On the other hand, there are cases when the traffic is not intended to be seen on daily basis, like emergency console access in case of disaster recovery. Such rules are critical and needed even the rules have 0 hits and were created/last modified 2 years ago.

Kind regards,
Jozko Mrkvicka
0 Kudos
AleLovaz82
Collaborator
‎2023-02-07 12:31 AM
In response to JozkoMrkvicka

yes, good advice,
but to avoid this kind of situation i'm going to extract all the 0HC rules ,by UID,at 10th of this months and then extract them again in March and see the differences with diff command.
All the results with ">" will be observed for another month
All the results with "<" will be disabled with a batch file for mgmt_cli 
As backup ,before deleting,I'll use an HTML export of the rulebase.

I honestly need to spend some time with API and scripting but i'm always busy 😐



Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events