Hi Duane, 

im new to API , i did a copy/paste of the syntax shared on the smart console command cli  and every time it gets crashed.

Can I run this via expert mode. is there any syntax that I have to add.

Please guide.

This is a .sh script that should run in expert mode - you have to rename the policy package to your policy package name...

Hello, 

Can u help me or guide how to run such scripts 

It is generally expected that, when using expert mode (including for running scripts), that the administrator has some basic Linux/Unix knowledge.

Versus copy/pasting a script, you might try a pre-built script that largely accomplishes the same thing: https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MD...
After downloading the script to the management station, use chmod 755 to make the script executable (e.g. chmod 755 cleanup-zero-hits.sh).

Scripts like that won’t work in the SmartConsole CLI, it has to be done in expert mode.

Tried cpstat blades yet ?

This gives the rules with top hits . what I need is the rules with zero hits.

Find some possibilities to see it here: sk85780: How to use the 'connstat' utility

unfortunately this is only for Windows OS,

In the below command, you are using the 'Network' name, does it change firewall to firewall , customer to customer?
Is it static or configurable?

TOTAL_RULES=$(mgmt_cli -r true show-access-rulebase name Network package Standard limit 1 details-level uid | jq '.total')

This is what your policy layer name is.  You can make it variable.  Likewise for the policy package name.  Your policy package may not be called Standard, so this can be variable, too.

POLICY_LAYER="Whatever_yours_is_called"

POLICY_PACKAGE="Not So Standard"

TOTAL_RULES=$(mgmt_cli -r true show-access-rulebase name "${POLICY_LAYER}" package "${POLICY_PACKAGE}" limit 1 details-level uid | jq '.total')

In the mgmt_cli command, be sure it's double-quoted in case your policy layer has spaces in its name.

With the variable policy layer name, you can also use that to search the Application layer, if your app control rules are in a separate policy.  Likewise, if you have any nested policy layers, just change the name of that variable to get only the rules of that nested policy.

The main security policy is now "just another layer", albeit the top-level ordered layer.

Hope that helps!

@Duane_Toler 
what command/API would list  POLICY_LAYER and POLICY_PACKAGE

I'm writing a script that should run on any of the firewalls irrespective of package/policy names, 
I want to collect the hit count(last/first hit) of all security-rule from all checkpoint firewalls in my network.
so I would run the first API from which I will get the policy-layer and package name and will pass it to the below command :

mgmt_cli -r true show access-rulebase name {POLICY_LAYER} details-level {POLICY_PACKAGE} use-object-dictionary false show-hits true --format json > rulebase_output.json

One option is to set those variables on your own manually.  Keep in mind a few things:

1) You can't pull hit counts for a given rule on a given gateway; the hit counts are aggregated from all gateways on which the rule is installed.

2) You don't pull rules from a given gateway; they're stored on the management server and applied to the gateway(s) based on the policy targets and the Install On column.

3) You can't get the first-hit date of a rule nor the last-hit date; these are aggregates from a window of time you specify in the show-access-rulebase command.

4) These API commands are ran against the management server (or management domain for MDS), not a gateway

To get all policy packages on the management server, you use the "show-packages" API command.

To pull all policy layers, you use the "show-access-layers" API command.

Use the show-access-rulebase API to pull the entire rulebase of the policy layer and with an optional package argument.

If you want to craft your own sequences, you should review the management API command reference for your management server's version (and Jumbo HFA level!): https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.9.1%20

You can do all of this at the command line in Bash (and I've done it), but you'll need to have plenty of shell scripting skills to do so.  Depending on the size of your top level policy layer and sub-layers, pulling all the rules and hit counts may be an intense operation and should be done wisely.  If you have 5,000 rules, you may not want to pull all 5,000 rules in one operation (and I think the API server may not allow that much in one task).  You can page through the rules in chunks, but you will have to write your own page-management loop to account for the various page chunks.  Again, tread cautiously, wisely, and judiciously depending on your configuration.

Very lightly tested, and not at all verified, but this might get you started:

# Set an array for the packages
declare -a policy_packages

# List of policy packages (hopefully no spaces in your package names)
policy_packages=$(mgmt_cli -r true show-packages |jq -r '.packages[].name')

# Loop through the policy packages
for package in ${policy_packages[@]}; do
  echo "Policy package: ${package}"
  # Get list of policy layers, replace spaces in policy layer names with 0xFF so Bash can tolerate
  for layer in $(mgmt_cli -r true show-access-layers|jq -r '."access-layers"[].name'|sed -e 's/ /\xff/g'); do
    # Replace 0xFF with spaces again
    policy_layer=$(echo $layer|sed -e 's/\xff/ /g')
    echo "  Policy layer: $policy_layer"

    # Fetch rulebase of policy layer in the package and get total rule count
    mgmt_cli -r true show-access-rulebase name "${policy_layer}" package ${package} limit 1 |jq -r '.total'
        # From here you can page through the rules in chunks to get the hit-counts in the layer
    done
done