Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AleLovaz82
Collaborator

extract all the zero hit count policies and add a prefix name to them

Hi

I've a lot of rules and rulebase with almonst the 35% of policies with zero hit ,but before deleting I need to be extra-sure that there is not traffic.

My ( maybe bad ) idea is to add a prefix in zero count policy name like "CHECK 06022023" and then check them in a month or two to be sure that they are not matching any traffic before disabling them.
I need some help to extract all the policy that have zero hit count at the moment ,and then add a sort of prefix into the column "name"

I can't do it manually because we are talking abount 40 policy package for over 10000 policies 😞

Any idea? thx in advance!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Here's a script that will help you find the Zero Hit Count rules and either disable or delete them:
https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MD... 
To add a prefix or similar, you'd have to modify the script.

0 Kudos
AleLovaz82
Collaborator

thx ,i'll give a look this evening,
for the moment i've extracted all the policies into a .csv file and then sorted by hits = "zero" and with some cut and paste i've prepared a batch/bulk file for mgmt_cli
mgmt_cli -r true -d x.y.z.w. set access-rule -b bulkfile.txt

It works like a charm but it required some work with Vi and Excel.

Thx for now 🙂

0 Kudos
JozkoMrkvicka
Authority
Authority

My suggestion is to check not only rules with 0 hits, but also when the specific rule was last modified/created. It can happen that the rule has 0 hits, but someone modified the rule like 4 days ago. Or just created brand new rule recently.

When the rule was created or modified can be checked over API.

Then i would add condition to check rules with 0 hits, which were not modified in XY months. You will be 100% sure these rules were not touched and are not used at all.

On the other hand, there are cases when the traffic is not intended to be seen on daily basis, like emergency console access in case of disaster recovery. Such rules are critical and needed even the rules have 0 hits and were created/last modified 2 years ago.

Kind regards,
Jozko Mrkvicka
0 Kudos
AleLovaz82
Collaborator

yes, good advice,
but to avoid this kind of situation i'm going to extract all the 0HC rules ,by UID,at 10th of this months and then extract them again in March and see the differences with diff command.
All the results with ">" will be observed for another month
All the results with "<" will be disabled with a batch file for mgmt_cli 
As backup ,before deleting,I'll use an HTML export of the rulebase.

I honestly need to spend some time with API and scripting but i'm always busy 😐



Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events