Solved: hitcounter per object?

S_E_

Hi,
not sure if this was already on a roadmap.

Are there any plans to display hitcounters based on object rather on rules?
It is somehow difficult ecspecially when you have netsted groups and a large rulebase.
Splitting up the rules in 'individual single' hosts/service blow up the rulebase, disproportionate.

Is there any better approach?
cpview top connections sk167903 does not really help in this case.

Regards

PhoneBoy

We only track hit count on rules, not objects.

View solution in original post

S_E_

hi,

Thanks,

RFE has been created and submitted.

View solution in original post

Shyy

Seems like a feature that should have been added a long time ago.
I don't think you have any other way to actually approach this better at the moment other then spliting the rules,
or leveraging logs with filters (just need to be really specific).

Don_Paterson

Have you been using the Tops pane in the Logs tab (LOGS & MONITORING / LOGS & EVENTS (R82)) to do any of that type of analysis?

API options for that too (https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-logs~v2.0.1%20)

Maybe not relevant but there have been enhancements in that area recently:

https://community.checkpoint.com/t5/Management/This-Month-s-Spotlight-3-Features-You-Should-Start-Us...

From that post (see that post for screenshot and more):

"1. Top Matched Access Rules

What it is

SmartConsole now surfaces Top Matched Access Rules (and Top Log Types) as built-in statistics, so you can quickly see which rules are doing the most work - right where you manage policy and logs.
This feature was also added to the Management API: the show-logs command now returns statistics for Top Matched Access Control Rules and Top Log Types. This makes it easy to identify rules that generate a high volume of logs, both in SmartConsole and via automation.

Use cases

Rulebase cleanup & optimization: Quickly spot the busiest rules (“heavy hitters”) and decide whether to move them up, narrow their scope, or split overly broad rules.
Find unused or shadowed rules: Identify rules with no hits, which may be redundant or hidden behind broader rules.
Validate recent changes: After a policy update, check that the right rules are being triggered and that traffic flow hasn’t shifted unexpectedly.

Why you’ll love it

Clear visibility: See the busiest and least-used rules directly in SmartConsole, without switching to external reports.
Smarter policy decisions: Use real hit data to fine-tune your rulebase, improve performance, and reduce risk.
Confidence in changes: Validate that policy edits had the intended effect, backed by measurable statistics.
Built-in automation: Access the same data through the Logs API to integrate checks into CI/CD pipelines or scheduled reviews.

Availability: R82.10, or R82 with Jumbo Take 36+."

S_E_

@Don_Paterson wrote:

Have you been using the Tops pane in the Logs tab (LOGS & MONITORING / LOGS & EVENTS (R82)) to do any of that type of analysis?

hi,

no, I was not aware of that inside SmartConsole, only formerly in https://mgmt/smartview.

Yes with Tops, even with MDS R81.20, I can see top-talker. However not exactly that what I was looking for.

My goal was to find unused or shadowed objects, not rules:

Thanks a lot

Regards

the_rock

You can find unused in the object explorer from the top left menu, then choose unused.

Best,
Andy

Don_Paterson

Hey Andy,

I think it is more about objects that are actually used in the rules (no unused) but the rules that those objects are in are not matched specifically for that objects.

The objects are obviously not alone in the SRC or DST cell and are in a group or along with multiple other objects.

Regards,

Don

the_rock

I see what you mean! Btw, I did check in the lab in regards to tops tab in logs and monitor, but does not appear to give anything hit count related for the objects.

Best,
Andy

Don_Paterson

Yeah, its a good one.

One thing you might like to look at:

In the Logs tab (SmartLog) click the options button (top right - at the end of the query bar) --> Tools --> Query Settings

In the Query Settings window you can change the Maximum to 50.

Then OK and go back to the Tops tab and expand Top Destinations.

It's not a lot, 50, and doesn't solve the problem but can help in some cases.

Also try this: query service:https (All Time) and then look at top destinations. As an example.

the_rock

Hey Don,

Yes, I did that this morning, but still does not show any hit count per object, unless Im missing something?

Best,
Andy

Henrik_Noerr1

this is on the roadmap for Policy Insights for 2026. It's a paid feature by the way.

the_rock

Wont be free?

Best,
Andy

Henrik_Noerr1

No, licensed under the SKU -COMPLETE

So you have:

CPSM-NGSM10-COMPLETE

CPSM-NGSM10-PREMIUM

CPSM-NGSM10

complete provides the usage per object in a rule (When implemented according to roadmap)

This also required uploading rulebase and telemetry to the cloud for analysis.

/Henrik

the_rock

Ah, got it, thank you!

Best,
Andy

the_rock

That is an excellent idea. I will say though, for now, cpview and tops pane @Don_Paterson mentioned are your best bet. I, personally, cant think of anything else at the moment.

Best,
Andy

the_rock

I also checked smart event in my lab, but dont see any option for hit count when I create custom report. O well : - (

Best,
Andy

the_rock

FWIW, I also played around with mgmt_cli commands in my mgmt lab, but appears flag show-hits only works with rule command, NOT object. Maybe someone from CP can confirm this for sure, but thats what it seems like to me.

Best,
Andy

PhoneBoy

We only track hit count on rules, not objects.

the_rock

I figured as well that had to be the case, though definitely good idea, but sounds like a candidate for an RFE.

Best,
Andy

S_E_

hi,

Thanks,

RFE has been created and submitted.

the_rock

Definitely best option for now.

Best,
Andy

Are you a member of CheckMates?

hitcounter per object?

What it is