Create a Post
Showing results for 
Search instead for 
Did you mean: 

Rule Base & Object Cleanup tools

Just looking for some general feedback from others on what is being used for rule base and object cleanup.  Are you using an external vendor products, or are there other tools/tricks out there.

We currently use the Tufin Secure Track product,(we did a comparison between Firemon, AlgoSec & Tufin as few years back).

But to be honest we have found that we are not really using most of the features of the Tufin product.  

Currently the main feature(which I really, really  like), is the reporting feature that is used for Rulebase & Object Cleanup.       Where if you had a firewall rule with multiple hosts or multiple services in it, it would basically give you a hit count/ per object on the rule.    So it was very easy to identify if a particular host or service was getting any hits over a period of time.   

The point is that it makes it very easy to find an object that is unused per rule vs.  just being an unused object for the entire policy which can be identified in Smart Console.

If there was an easy way to accomplish this same thing another way, I don't think we would even need Tufin.    

Wondering what others are doing, and if there are maybe tools out there that I am not aware of for helping with policy cleanup tasks.


0 Kudos
6 Replies
Legend Legend

CP has hit count by rule - so you have to split into one each for multiple hosts or multiple services.

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist

What I always do is export rules in csv format and search for disabled/rules with 0 hits.


0 Kudos

That only helps with part of the cleanup journey tho. I'm my example I am not targeting 0 hit rules.           For example if there are 2 application servers and we were given a list of service(ports) that are required for communications.  Tufin would tell us that in that 1 rule, the % of hits per service.  So it gave me an easy way to see that  FTP as an example was not really being used over a period of time.  
   I could create individual rules for the same src & dst hosts for each specific service(port).  But I feel that's a little unpractical, and that not how most of our rules were created.      And I could also accomplish the same thing by exporting all the logs for a specific rule.    But in this method I am limited to my log retention policy which is only about 4 -5 weeks of data.          

0 Kudos
Employee Alumnus
Employee Alumnus

Check Point also has a Professional Service called SmartOptimize that I would recommend which would accomplish these tasks and much more. Your account team should be able to provide you specifics if interested. 

Service Features are as follows.

• Detailed reports
• Recommendations
provided by expert
Professional Services
• Rulebase Optimization
• Database Optimization
• System Health
• Risk analysis
• In-depth hit count analysis
• Optional onsite services

0 Kudos

Hi. Is that using the APG, or some other Tufin report? Thanks

0 Kudos

A caution with hit counts, are your failover and disaster recovery rules tagged?  Has your team specifically addressed this?  Examples might be rule or object comments that state they are for DR.  You might name the objects with 'dr' in them.  Or create a separate rule just for the dr.  That way, when you go solving by hitcount=0, you don't delete something that will bite you later. 

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events