Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Franck_Lecuyer
Explorer
Jump to solution

R80 SmartReporter : how to do a report "rule base analysis"? is it possible ?

Thanks 🙂

1 Solution

Accepted Solutions
Ofir_Shikolski
Employee
Employee
23 Replies
Nader_Assi__Old
Contributor

I have the same exact question and I'm still not able to find any answer.

0 Kudos
Ofir_Shikolski
Employee
Employee

I created my own report for this task Smiley Happy 

Nader_Assi__Old
Contributor

How did you do that? Because I tried also to create my own but without any good result.

-> I think I was able to get somethinbg similar to yours but I don't have the option to add the Rule Hits.

0 Kudos
Ofir_Shikolski
Employee
Employee

1. create report
2. create table
3. i used this:

Ofir_Shikolski
Employee
Employee

last hit = time

Smiley Happy

Jason_Chapell
Explorer

Could you provide a little more detail on how you created the report?    

PhoneBoy
Admin
Admin
0 Kudos
Selma_Saglauska
Participant
I used this report (Rule Base Analysis) to remove rules that had no hits for a certain period of time, as well as to sort the rules that had the most hits for places higher up in the policies.
This report created here did not help me, because it does not provide the information I need. Is it possible to create a report similar to the one that existed in SmartReporter?
0 Kudos
Tomer_Sole
Mentor
Mentor

Selma Saglauskas wrote:

I used this report (Rule Base Analysis) to remove rules that had no hits for a certain period of time

We are planning zero hits reports in our next releases. For now - will Ofir's sample report above help you in that case? 

Selma Saglauskas wrote:

 as well as to sort the rules that had the most hits for places higher up in the policies.
Please note that with R80.10 gateways, rule matching no longer works top-down but rather using column-based matching, effectively making this practice less relevant. So we may have saved you from this. See: Unified Policy Column-based Rule Matching 
0 Kudos
Selma_Saglauska
Participant

Hi, thank you for your response. Look, the way the Ofir's example comes along does not help much. I need the rules, with their names, to appear separately by policy and gateway.
As this report was made, a column appears with Rule Name, where all rules are bound together. And I can not see which one did not hit. Smiley Sad
Of course I can do this manually, look rule by rule and see that it has had no access in the last 3 months. However, if I need to know which rule has had no access (hit) in the last 6 months, for example, this alternative does not help much. And doing this manually is also not cool; so why to buy license of the Event if it does not help with the reports we need?

0 Kudos
Daniel_Hainich
Collaborator

Hi,

 

any news about this topic?

There is no view/report in R80.20 like old "Rule-Base-Analysis" in R77.30.

I cant see sample Report from Ofir. 

 

 

Thanks

Daniel

0 Kudos
Kfir_Dadosh
Collaborator

Why not using the integrated rulebase hit-count?

Right click the policy header, and enable the "Hits" column

You can sort the policy according to the hitcount, and remove those zero hits count.

For each rule you can also get the first and last hit:

I think it answers your requests.

Kfir Dadosh

Tomer_Sole
Mentor
Mentor

You can generate a "zero hit count" report by selecting Actions-->Export and then filtering non-zero hit rules at the resulting CSV file.

0 Kudos
Selma_Saglauska
Participant

Hello, Tomer Sole.
I've exported my rules, however the "hits" column was not exported to the CSV file.
I am using version R80.10.
Regards,
Selma.

0 Kudos
Tomer_Sole
Mentor
Mentor

OK I was not aware of that limitation, I will check internally and update

0 Kudos
Selma_Saglauska
Participant

Hi, Kfir Dadosh.

Thank you for your answer.

 

I leave the "Hits" column always enabled, however I do not know how to sort according to the hitcount.

This solution as a workaround helps a bit, but the report that existed in SmartReporter was much better ...

Regards, Selma.

Vladimir
Champion
Champion

I have recently completed a project that involved similar requirements.

We've ended-up using an ungodly combination of Check Point Web Visualization tool, to get the data out of CMAs, Tufin historical reports to pin-down 0-hit rules and objects and excel's "Get Data" function to get both outputs in the same workbooks for correlation.

Additionally, a lookup of public IPs in the policy was supposed to be performed by hand to conclusively identify their ownership.

Resultant output was used for policy cleanup and report generation.

Given that it was done across tens of policies with thousands of rules and objects, the process was less than optimal.

It would be nice to see all these capabilities integrated in the smart console. 

Tomer_Sole
Mentor
Mentor

For now what I can offer is either:

a. open the rulebase in SmartConsole, select Actions-->Export... and then edit the resulting CSV to filter out rows which have hits != 0.

b. use import export policy, grab that HTML, and filter out rows with hits != 0. 

c. edit the import export policy python script so that it does not output rules with hits != 0

We will improve it in the future, however for now will any of these options seem better than the combination you use today?

Regarding cleanup of rules using object hit count - this is a roadmap feature.

0 Kudos
Vladimir
Champion
Champion

Not really, as there are no per-object hits available.

Tufin reports do have this property even on group members.

So I am looking forward to it being eventually implemented.

0 Kudos
Ofir_Shikolski
Employee
Employee

What about using the API command ? 

Check Point - Management API reference 

Show-access-rulebase with hits

Command

show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" hits-settings.target "corporate-gw" --format json
Daniel_Hainich
Collaborator
@Ofir_Shikolski

i cant see your report - can you share again?

thanks
daniel
0 Kudos
Daniel_Hainich
Collaborator
@PhoneBoy
can you help?
0 Kudos
PhoneBoy
Admin
Admin

It looks like the image @Ofir_Shikolski posted is externally hosted and the hostname is not resolving any longer.
Given the age of this thread, it might be better to start a new thread with your specific requirements.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events