This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scott_Bily
Participant
‎2023-01-03 06:26 AM

Rule Base & Object Cleanup tools

Just looking for some general feedback from others on what is being used for rule base and object cleanup.  Are you using an external vendor products, or are there other tools/tricks out there.

We currently use the Tufin Secure Track product,(we did a comparison between Firemon, AlgoSec & Tufin as few years back).

But to be honest we have found that we are not really using most of the features of the Tufin product.  

Currently the main feature(which I really, really  like), is the reporting feature that is used for Rulebase & Object Cleanup.       Where if you had a firewall rule with multiple hosts or multiple services in it, it would basically give you a hit count/ per object on the rule.    So it was very easy to identify if a particular host or service was getting any hits over a period of time.   

The point is that it makes it very easy to find an object that is unused per rule vs.  just being an unused object for the entire policy which can be identified in Smart Console.

If there was an easy way to accomplish this same thing another way, I don't think we would even need Tufin.    

Wondering what others are doing, and if there are maybe tools out there that I am not aware of for helping with policy cleanup tasks.

Thanks







0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-01-03 07:00 AM

CP has hit count by rule - so you have to split into one each for multiple hosts or multiple services.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
‎2023-01-03 07:26 AM

What I always do is export rules in csv format and search for disabled/rules with 0 hits.

Andy

0 Kudos
Scott_Bily
Participant
‎2023-01-03 08:08 AM
In response to the_rock

That only helps with part of the cleanup journey tho. I'm my example I am not targeting 0 hit rules.           For example if there are 2 application servers and we were given a list of service(ports) that are required for communications.  Tufin would tell us that in that 1 rule, the % of hits per service.  So it gave me an easy way to see that  FTP as an example was not really being used over a period of time.  
   I could create individual rules for the same src & dst hosts for each specific service(port).  But I feel that's a little unpractical, and that not how most of our rules were created.      And I could also accomplish the same thing by exporting all the logs for a specific rule.    But in this method I am limited to my log retention policy which is only about 4 -5 weeks of data.          

0 Kudos
CE_SE
Employee Alumnus
Employee Alumnus
‎2023-01-03 04:11 PM

Check Point also has a Professional Service called SmartOptimize that I would recommend which would accomplish these tasks and much more. Your account team should be able to provide you specifics if interested. 

Service Features are as follows.

• Detailed reports
• Recommendations
provided by expert
Professional Services
Consultants
• Rulebase Optimization
• Database Optimization
• System Health
• Risk analysis
• In-depth hit count analysis
• Optional onsite services

0 Kudos
Scott_Paisley
Advisor
‎2023-01-09 06:27 AM

Hi. Is that using the APG, or some other Tufin report? Thanks

0 Kudos
George_Ellis
Advisor
‎2023-01-23 07:57 AM

A caution with hit counts, are your failover and disaster recovery rules tagged?  Has your team specifically addressed this?  Examples might be rule or object comments that state they are for DR.  You might name the objects with 'dr' in them.  Or create a separate rule just for the dr.  That way, when you go solving by hitcount=0, you don't delete something that will bite you later. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events