This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Malik1
Contributor
‎2022-11-14 06:56 AM

HIT Counts R80.40

Hi Experts, 

 

I have a client who wants to remove unused rules , one way of doing it is by identify rules with zero hits. Here I have a query.

1. lets say I have set the hit count for 3 months. that means SMS will store the hit count data for 3 months for each rule in the policy. If I had hits on a specific rule in Jan and for the next 3 months that rule was unused. does the hit count reset to zero? 

2. is there any other way to identify/ delete unused rule. ?

Regards,

SM

 

0 Kudos
12 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-11-14 07:21 AM

Log analysis is another way depending on your tooling.

Refer also:

https://sc1.checkpoint.com/documents/r80.40/webadminguides/en/cp_r80.40_securitymanagement_adminguid...

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-11-14 07:47 AM

 

  • Connect to command line on Security Gateway / each cluster member.

  • Log in to Clish / Expert mode.

  • Run the cpstat blades command.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Duane_Toler
Advisor
‎2022-11-14 10:37 AM

I did this for a customer, and used the API command on the management server:

 

FROM_DATE=$(date -d "90 days ago" +"%Y-%m-%d")

TO_DATE=$(date +"%Y-%m-%d")

JSON_FILE="firewall_rules.last_90_days.json"

CSV_FILE="firewall_rules.last_90_days.csv"

export MGMT_CLI_FORMAT=json



TOTAL_RULES=$(mgmt_cli -r true show-access-rulebase name Network package Standard limit 1 details-level uid | jq '.total')

mgmt_cli -r true show-access-rulebase name Network package Standard show-hits true hits-settings.from-date ${FROM_DATE} hits-settings.to-date ${TO_DATE} use-object-dictionary true limit ${TOTAL_RULES}  > ${JSON_FILE}



echo '"Rule Number","Source","Destination","VPN","Service","Rule Action","Install On"' |tee ${CSV_FILE}



for rule in $(jq -r '.rulebase[] |

  select(.type=="access-rule"), select(.type=="access-section").rulebase[] |

  select(.enabled) |

  select(.hits.value == 0)."rule-number"|@text' ${JSON_FILE})

do



jq --arg rule $rule '( [ ."objects-dictionary"[] | { key:.uid, value:.name  } ] | from_entries ) as $objs |

  .rulebase[]| select(.type=="access-rule"),select(.type=="access-section").rulebase[] |

  select((."rule-number"|@text)==$rule) |

   [ ( [ ."rule-number"|@text ]|@csv ),

     ( [ $objs[."source"[]] ]|@csv),

     ( [$objs[."destination"[]] ]|@csv),

     ( [ $objs[."vpn"[]] ]|@csv ),

     ( [ $objs[."service"[]] ]|@csv ),

     ( [ $objs[."action"] ]|@csv ),

     ( [ $objs[."install-on"[] ] ]|@csv )

   ] |@csv

' < ${JSON_FILE}

done |\

sed -e 's@\\"\\"@@g' -e 's@\\"@"@g' -e 's/^""/"/g' -e 's/""$/"/g' |tee -a ${CSV_FILE}

echo

 

The CSV file has a list of the rules with zero hits.  Use however you wish.  Adjust numbers in the script however you want.

 

# cat firewall_rules.last_90_days.csv

"number","source","destination","vpn","service","action","install on"

"1","obj1,obj2","obj1,obj2","Any","Any","Accept","gateway"

"28","obj3","obj4","Any","http","Accept","gateway2"

 

 

0 Kudos
Malik1
Contributor
‎2022-11-16 03:59 AM
In response to Duane_Toler

Hi Duane, 

im new to API , i did a copy/paste of the syntax shared on the smart console command cli  and every time it gets crashed.

 

Can I run this via expert mode. is there any syntax that I have to add.

 

Please guide.

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-11-16 04:25 AM
In response to Malik1

This is a .sh script that should run in expert mode - you have to rename the policy package to your policy package name...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Malik1
Contributor
‎2022-11-16 06:25 AM
In response to G_W_Albrecht

Hello, 

 

Can u help me or guide how to run such scripts 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-16 07:08 AM
In response to Malik1

It is generally expected that, when using expert mode (including for running scripts), that the administrator has some basic Linux/Unix knowledge.

Versus copy/pasting a script, you might try a pre-built script that largely accomplishes the same thing: https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MD...
After downloading the script to the management station, use chmod 755 to make the script executable (e.g. chmod 755 cleanup-zero-hits.sh).

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-16 04:26 AM
In response to Malik1

Scripts like that won’t work in the SmartConsole CLI, it has to be done in expert mode.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-11-16 04:29 AM
In response to Malik1

Tried cpstat blades yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Malik1
Contributor
‎2022-11-16 06:21 AM
In response to G_W_Albrecht

 

This gives the rules with top hits . what I need is the rules with zero hits.

Capture.PNG

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-11-16 06:38 AM
In response to Malik1

Find some possibilities to see it here: sk85780: How to use the 'connstat' utility

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Malik1
Contributor
‎2022-11-16 11:54 PM
In response to G_W_Albrecht

unfortunately this is only for Windows OS,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events