Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MRossi92
Participant
Jump to solution

Rule Analyzer without logging rules

Hi Everyone.

Im looking for some specific applicattion that they works like a Rule Analyzer.

We have a 64000 Chassis and 1600 rules. All of them are not logging exept the "Clean UP" rule.

We found the following applications but we need to know which of those are the best with that scenary

1. Firemon

2. Tuffin

3. Algo Sec

4. Skybox

PD: Please remember that we are not loggin rules! So we need to find some application that works without that.

Thanks a lot!

 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
What specific insights add you looking for from such a tool?
Without logging your rules, about all you have to work with are hit counts…or possibly the logic of specific rules.

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
What specific insights add you looking for from such a tool?
Without logging your rules, about all you have to work with are hit counts…or possibly the logic of specific rules.
MRossi92
Participant

Thanks for reply.

Can you explain me how can i work with the "Hitcounts"?

We need some application that he can clean and optimize the security policy.

 

 

PhoneBoy
Admin
Admin

Note that as a best practice, most of your rules should be logged.
The fact most of your rules are not logged is problematic for many reasons, including this specific exercise.

Regardless of whether you log a rule or not, every rule should log the number of hits against that rule.
It doesn't show by default in R80.x SmartConsole, but it's easy enough to see by right-clicking on the rule headers and ticking the box for hits:

Screen Shot 2020-02-09 at 6.10.19 PM.png

If a rule has a low number of hits against it, that's a target for a rule that could potentially be removed.
In pre R80 releases for Check Point gateways, it was considered best practice to move rules that were hit a lot to the top of the rulebase to improve gateway performance.
With column-based matching added from R80.10, this is less needed, though there are still a few corner cases where it might help.

As far as potentially simplifying rulebase logic, that's something a tool or a human would have to address.
We also offer, via Check Point Professional Services, a service called SmartOptimize that can assist with this task as well.

0 Kudos
MRossi92
Participant

I thought you were referring to another tool with the "hitcounts". 

Thanks for the answer and from your time but its not a good solution for a Firewall with 1700 rules. We need something more easy to the day work.

Someone know something from those applications?

1. Firemon

2. Tuffin

3. Algo Sec

4. Skybox

Daniel_Schlifka
Contributor

You could use netflow with some netflow analyzer, but it costs performance on the gateways. Better be careful when using it on heavy load gateways.

0 Kudos
PhoneBoy
Admin
Admin
Netflow will only tell you about active connections.
It won’t tell you anything about historical connections.
Perhaps over time the historical data can assist, but that still seems like a manual process.
0 Kudos
PhoneBoy
Admin
Admin
You still haven’t answered the question of what you hope to achieve by using one of these tools.
In any case, those tools are only as effective as the data they are fed.
Not having logs for the most part is a huge blind spot.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events