Solved: Re: Export of rules with zero hits in dashboard - Page 2

the_rock · ‎2021-05-27

Hi everyone,

I saw some posts about this before, but there was never a confirmation if this was ever available. I am trying to export rules in excel format for a customer that requested list of rules with zero hits, but does not seem its possible. I exported all the rules and can filter for example for any disabled rules, but I dont see column anywhere in excel file for hits, though hits column is enabled in dashboard.

Any idea if this is possible in R81 at all? It is cloud mgmt, but I dont think that makes any difference.

Also, another thing I noticed, though this could be pure cosmetic is that all 100 some NAT rules show zero hits, which also makes no sense, since we know bunch of them are getting hit for sure.

Thanks in advance!

the_rock · ‎2025-05-13

Just did some checks and sadly, cant see a way to do this from smart console. I also tried smartview, but no luck. Also did below from ssh, but cant see hit count there either.

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli show package name "R82-SSL-INSPECTION-LAB-POLICY" --format json
Username: admin
Password:
{
"uid" : "0fd04089-8f41-424a-aeb3-0534161618ca",
"name" : "R82-SSL-INSPECTION-LAB-POLICY",
"type" : "package",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"https-inspection-layers" : {
"inbound-https-layer" : {
"uid" : "dbd264b3-5b34-4105-a35e-364ccabc7f82",
"name" : "Default Inbound Layer",
"type" : "https-layer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "ApplicationFirewall/rulebase",
"color" : "black"
},
"outbound-https-layer" : {
"uid" : "ecb98b31-5e17-44c5-bc05-ce1a8b3d1c3d",
"name" : "Default Outbound Layer",
"type" : "https-layer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "ApplicationFirewall/rulebase",
"color" : "black"
}
},
"installation-targets-revision" : [ {
"cluster-members-revision" : [ {
"target-name" : "CP-FW-02",
"target-uid" : "c2fdd6b1-e28a-4fff-bc41-f54aa31cf4f7",
"revision" : {
"uid" : "623f7685-c888-4ba0-b6d4-6f797772e4a6",
"type" : "session",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "Objects/worksession",
"color" : "black"
}
} ],
"target-name" : "CP-FW-CLUSTER",
"target-uid" : "1d825439-7eff-42ff-bee2-f091dad7aa83"
}, {
"target-name" : "CP-GW",
"target-uid" : "0c57736d-de40-448d-94e6-5d23c68bf031",
"revision" : {
"uid" : "623f7685-c888-4ba0-b6d4-6f797772e4a6",
"type" : "session",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "Objects/worksession",
"color" : "black"
}
} ],
"access" : true,
"access-layers" : [ {
"uid" : "38271c2f-ab44-4e25-9aa4-e219cb6e12cf",
"name" : "network",
"type" : "access-layer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "ApplicationFirewall/rulebase",
"color" : "black"
}, {
"uid" : "0d66fd92-fb01-4862-8005-8871f976ad4f",
"name" : "appc+urlf",
"type" : "access-layer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "ApplicationFirewall/rulebase",
"color" : "black"
}, {
"uid" : "8c33534f-e11d-4511-a5d1-538a0415a7b3",
"name" : "final-layer",
"type" : "access-layer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "ApplicationFirewall/rulebase",
"color" : "black"
} ],
"threat-layers" : [ {
"uid" : "62edcf70-8f91-4ada-9a03-2d5d72a9ef6e",
"name" : "IPS",
"type" : "threat-layer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "ApplicationFirewall/sharedrulebase",
"color" : "black"
}, {
"uid" : "6cc286f4-87bc-412a-b231-8c63c30d978e",
"name" : "R82-SSL-INSPECTION-LAB-POLICY Threat Prevention",
"type" : "threat-layer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"icon" : "ApplicationFirewall/rulebase",
"color" : "black"
} ],
"vpn-traditional-mode" : false,
"nat-policy" : true,
"qos" : true,
"qos-policy-type" : "recommended",
"desktop-security" : false,
"threat-prevention" : true,
"installation-targets" : "all",
"https-inspection-policy" : true,
"infinity-threat-policy" : "e2b0ba60-56be-456b-ba46-73df3cf5cbed",
"autonomous-threat-policy" : "e2b0ba60-56be-456b-ba46-73df3cf5cbed",
"comments" : "",
"color" : "cyan",
"icon" : "Blades/Access",
"tags" : [ ],
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1742753432509,
"iso-8601" : "2025-03-23T14:10-0400"
},
"last-modifier" : "admin",
"creation-time" : {
"posix" : 1668667433989,
"iso-8601" : "2022-11-17T01:43-0500"
},
"creator" : "System"
},
"read-only" : false,
"available-actions" : {
"edit" : "true",
"delete" : "true",
"clone" : "false"
}
}
[Expert@CP-MANAGEMENT:0]#

Matlu · ‎2025-05-13

Bro

This command would run on every CMA in my MDS, right?

The command shows you information from how far back?
30 days, 60, 90?

the_rock · ‎2025-05-13

Never ran it on MDS, so cant say for sure. I assume it would run in whatever context you are in, so say if you are in CMA1 (just as an example), it would show you there. As far as days count, I have it set to 2 years globally.

Andy

Matlu · ‎2025-05-13

I found a discussion that comes close to what I need.

https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MD...

Have you tested it in version like R81 to more?

the_rock · ‎2025-05-13

O that, right. Yes, I tested it on R81.10 and it did work.

Andy

Duane_Toler · ‎2025-05-13

You need to use the "show-access-rulebase" management API with hit-count option to specify the range of date and time:

https://sc1.checkpoint.com/documents/latest/APIs/#web/show-access-rulebase~v1.9.1%20

For MDS and multiple policy packages, you will need to specify each one separately for each MDS. You can do this with Ansible or a custom script. It will not be simple and easy, but it can be done.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Matlu · ‎2025-05-13

This command shows you on screen, the information of how far back?
Is there an approximate?
30, 60, 90 days?

the_rock · ‎2025-05-13

not sure 😞

Youssef_Obeidal · ‎2023-02-28

Hi,

We will look into it for the next version and try to backport to JHF of recent versions.

Eric_Smith · ‎2023-02-28

I have a lot of customers who will be very happy to see and hear that. Thank you Youssef.

the_rock · ‎2023-02-28

Agree 100%. It would be awesome feature to have, for sure. I also made another post about https inspection policy rules hits and hopefully that will also be integrated at some point in future releases, lets see.

Youssef_Obeidal · ‎2024-08-06

Hi,
We are aware of the requirement, and working to add it soon. it is part of our short term plan.
will include the hitcount data, first hit, and last hit.

the_rock · ‎2024-08-06

Great news @Youssef_Obeidal

Eric_Smith · ‎2024-08-06

That will be amazing. Thank you for the Update Youssef.

the_rock · ‎2024-08-06

Also, just to "throw" this into the mix, as they say, I think it would be AMAZING @Youssef_Obeidal if hits could be enabled hor https inspection policy. I had many customers ask me about it, but so far, I dont see it in R82 EA either.

Best,

Andy

Sajgon107 · ‎2024-11-21

Hey there,

im trying to get the hit count in to the CSV export. Firstly I've enabled hits in the top column and then did the export. Unfortunately in CSV i see columnt hits but with no data (entire column is empty).

Any advice please?

Im running R81.10 T169

the_rock · ‎2024-11-21

What version? I just exported in my lab R81.20 jumbo 90 and works fine. File attached. I also tested R82, no issues.

Andy

Matlu · ‎2025-03-08

Hey, Bro.

Does this work in MDS environments? Can the rulebase be exported from any particular domain of my MDS?
I have version R81.20

Now among so much information in this post I'm a bit confused about the command to execute via CLI to get the info you need.

Could you highlight which is the command, please?

Cheers.

the_rock · ‎2025-03-08

I did test it back then and it did work on MDS, yes.

Andy

Matlu · ‎2025-03-08

Sorry, could you tell me what is the syntax of the command to achieve this goal?

the_rock · ‎2025-03-08

Yes, just export the rules from smart console, there is an option on the top when you are in security rules portion.

Andy

Sergei_Karpovit · ‎2024-04-05

were there any updates to your question? we are as well looking for a report that will have another column, which will show “Rule Last Used” information, which is available via Dashboard when you hover mouse over the hit number as well in rule details information? this would be very helpful. When we do export, it doesn't give you an option to select which data you want to export, but providing that future, would greatly benefit everyone.

Sergei_Karpovit · ‎2024-04-05

Is it possible to add another column to report which will show “Rule Last Used” information, which is available via Dashboard when you hover mouse over the hit number as well in rule details information? this would be very helpful. When we do export, it doesn't give you an option to select which data you want to export, but providing that future, would greatly benefit everyone. Thank you

the_rock · ‎2024-04-05

Interesting question, I dont see that anywhere either, not sure if its possible.

Andy

Sergei_Karpovit · ‎2024-04-05

if they can get count data, getting the date of the last hit shouldn't be an issue :), especially that info is available via Dashboard in 2 places.

the_rock · ‎2024-04-05

Thats true, as long as hit count is enabled, it will show last hit, agree : - )

Andy

Sergei_Karpovit · ‎2024-08-07

It looks like a lot of good progress been made on the Export of rules with zero hits in dashboard, however there is always room for improvement and if further request can be fulfilled by checkpoint, that will make happy many people. One request in discussions below is about getting First & Last hit dates to be exported along with the hits number, that info is currently available in the Dashboard, that should be simple. But i have another request and if Checkpoint can make it happen, that would be brilliant. Let's say i have a rule were source or destination is not a single object but a group with multiple objects. I want to see in the dashboard the number of hits generated and accepted by each object. And if for some reason one of the source objects not generating traffic or traffic not being send to one of the destination objects, that will help us to cleanup unused objects. Today unused object is the one that is not used in any group, policy, etc... but in reality, sometimes there are servers that been decommissioned or re-used for different app but Security team wasn't updated and if this information is missed, then object will be sitting in the rule without generation or accepting traffic, means unused and can be removed. I hope this makes sense, can be done and will be done in one of the next Dashboard patches or upgrades.

Are you a member of CheckMates?

Export of rules with zero hits in dashboard