- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello everyone,
A customer recently placed a firewall to control all inter-VLAN traffic and they unfortunately are not aware (as it usually is) what kind of traffic is generated between the VLANs as it was running through a switch until now.
We started building the rulebase depending on their necessities but I still believe that is far from ideal. To avoid any major issues we had to leave the last rule as ACCEPT. At this point, the only way seems to analyze the logs of this rule and keep adding new rules which brings me to the real question and I sincerely apologize if this is stupid but is there any quick way or a tool (I know Tufin can analyze the existing rulebase) to do this?
(I searched the forum but couldn't find any Q or A that might be directly related)
Thanks in advance,
Policy Management would be the best place to put this.
The central question is: what is valid, acceptable traffic and what is not?
No tool is going to be able to tell you that.
What you can do in SmartView/SmartLog is look at the top sources/destinations on this rule.
From there, you can drill down and see what is generating the most traffic and start making appropriate rules around that, perhaps after asking a few questions about what the particular host is doing and why.
There is a couple of comercial tools that can help you with that: Algosec, for instance, has an optimization tool that analyzes firewalls logs and gives you proposals of rules. I guess Tufin does something similar.
The other option is a manual study of the exported logs with some other tools as Splunk or building a module with Access... Little by little you can resume the traffic.
Anyway, a Any/Any/accept rule has several problems if the TCP-out-of-state is not enable becouse logs will show even the SYN-ACK packets as being the first ones if there is some kind of assimetrical traffic. Be aware of that.
Hi Bekir,
My starting point would be to configure of the gateway's interfaces in monitor mode along with a SPAN port on the switch so that inter-VLAN traffic can be mirrored to the Gateway and analysed without affecting the production environment (see sk101670 for more info).
Once the traffic has been analysed over a period of time, you would then be in a better position to construct a more suited rule base.
I hope this helps.
Thank you for the prompt response Nick. I already have all the logs I need but it's millions of lines for even weekly traffic.
I was wondering if there's any tool (including 3rd party ones of course) to make this daunting task easier (i.e. finding patterns and making recommendations) 😃
Hi Bekir,
Now that your request is a bit clearer, the answer is no, I would be really surprised if such a tool exists!
In addition to what Phoneboy said, I believe you could also do the following:
- Provided that the logs can be exported in CSV format, you could start importing samples into Excel, apply a filter or a pivot table and then analyse the traffic on the basis of specific criteria such as source subnets/networks etc.
- Assuming you have captured some of the traffic involved, you could analyse it in Wireshark with the use of multiple display filters (based on say protocols).
This is what I would do anyway. I also strongly believe that this is work you would have to do with the customer as well unless you know their environment and critical services inside out. Once again though, the answer is no I'm afraid, there is no easy way to go about this.
I hope this helps.
Policy Management would be the best place to put this.
The central question is: what is valid, acceptable traffic and what is not?
No tool is going to be able to tell you that.
What you can do in SmartView/SmartLog is look at the top sources/destinations on this rule.
From there, you can drill down and see what is generating the most traffic and start making appropriate rules around that, perhaps after asking a few questions about what the particular host is doing and why.
There is a couple of comercial tools that can help you with that: Algosec, for instance, has an optimization tool that analyzes firewalls logs and gives you proposals of rules. I guess Tufin does something similar.
The other option is a manual study of the exported logs with some other tools as Splunk or building a module with Access... Little by little you can resume the traffic.
Anyway, a Any/Any/accept rule has several problems if the TCP-out-of-state is not enable becouse logs will show even the SYN-ACK packets as being the first ones if there is some kind of assimetrical traffic. Be aware of that.
Great advices all around, thank you everyone. Especially Phoneboy and Jose 😃
I'm aware that I shouldn't be "allowing" all traffic but the customer will be deciding everything at the end of the day.
I already started analyzing the traffic with the help of Tufin and building a rulebase on its proposals, mostly based on subnets but I will come back to them and change into more restricted rules. And final step will be changing the last rule to drop and add additional rules if we experience any major issues / outages.
Thank you again.
Hello Community,
I need to do similar task - generate rules from overly permissive "any any accept" policy. Many years ago I used Tufin APG for similar task. Since there is no Tufin in this enviroment decided to look around.
There is a perl tool "360-FAAR Firewall Analysis Audit Repair" i'm considering to try before trying Excel and pivot tables.
as per read-me in https://sourceforge.net/projects/faar/files/
* Build new rulebases from scratch with a single 'any' rule and log files.
# Currently supported input firewall log types are:
# - Checkpoint Firewall-1: logexport utility format,
Hello Sergej,
I will definitely be looking into this one as it seems to cover a lot of ground for security engineering task. Thanks for sharing it 😃
Hi Bekir,
I too have had this need several times, and without the funding for commercial tools, it can seem like an enormous task. What I have found is that you can segment the rule base instantly based on traffic flow direction with an accept and log rule. You can this massively cuts down the hits on 1 single rule and makes the task somewhat "easier".
For example, lets assume you have 2 networks.
Instead of having your any any any rule solely in place, you could create the following rules above your global any.
Rule 1
Source: DMZ (10.10.10.0/24)
Destination: Server Network (10.10.30.0/24)
Service(s): Any
Action: Accept
Rule 2:
Source: Server Network (10.10.30.0/24)
Destination: DMZ (10.10.10.0/24)
Service(s): Any
Action: Accept
Log: Yes
You would then perform analysis on each of the rules independently and start to create your actual required rules above these more specific rules.
You should then see that your original ANY rule should start to get less and less hits until the point where you can change your action to drop as a global cleanup rule.
For the actual analysis we use CSV export from SmartView (web version of SmartLog) and then perform unique flow filtering within Excel. This shows us all unique connections seen over a time period, we can then validate the connection then create as required.
I would also look at connections that give a lot of noise that the firewall may see, Broadcast, multicast etc, validate those connections and if not required, drop them without logging. This will remove a lot of garbage from your outputs.
I hope that I have explained this OK, if not let me know and I will elaborate further.
Regards
Mark
Hello Mark,
This was also the method I used and then the customer decided to get Tufin which made things much more easier.
But again not every customer has the budget to do so and this seems to be the most practical way for an otherwise daunting task.
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 21 | |
| 7 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY