I think I did not explain well our need.

From our MDS, or maybe from our Smart Event that we also have, is it possible to generate a report that allows us to “know” how many firewall rules have 0 Hits for more than 90 days?

We want to “optimize” our rule base, and detect which rules are not being used for a long time.

Cheers. 🙂

You explained it perfectly the first time.
The product does not offer something like this in the UI, thus why I provided an alternative solution.

Hey @Matlu,

If you don't have a 3rd party tool like Tufin or AlgoSec, as PhoneBoy said, you'd need to use the Check Point Management API.

We've done this on our MDS using a bash script. The script uses various API commands to loop through each domain, and every policy package within that domain to query the rulebases for zero hit rules and extract the resultant rules into a CSV file that contains the rule UIDs, source, destination & port information. The API to query the rulebase is 'mgmt_cli show access-rulebase'. You can pass additional arguments to query the hit count of the rules within the policy, including the ability to specify from/to dates. One thing to note is that the maximum number of rules you can query is 500, so you need to recursively loop through the rulebases if they contain more than 500 rules. Here's an example output of the API call from the Check Point Management API reference guide:

mgmt_cli show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" hits-settings.target "corporate-gw" --format json
• "--format json" is optional. By default the output is presented in plain text.

You can use jquery to filter the hit count to only return results equal to zero.

Hello, Aaron.

Could I use the API that you have shared with me in each domain (CMA) that I have in my MDS?

If I want to get the result of the rules with 0 Hits for the last 3 months (90 days), it would only be a matter of playing with the dates of the query you shared with me, right?

Cheers

That's right. You'd need to write a script to do a 'show domains' and pass the output as a variable, like DOMAIN=$"mgmt_cli -r true show-domains -f json | jq -r .name". You then pass the variable into a for or while loop to loop through the domains, such as mgmt_cli -r true - d "$DOMAIN" show-packages -f json, extract the packages and filter for the access control policy name, and so on. Eventually, once you've extracted all of the policy names per domain (let's say into a variable name $POLICY), you can execute the command to query the policy for zero hits using this variable. For example: mgmt_cli - r true -d "$DOMAIN" show-access-rulebase name "$POLICY" limit 500 details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" -f json.

Not sure if some of your domains manage separate DCs (Domain1 manages Site A and Domain2 manages Site B, with Site A being the active site), but bear in mind in that scenario you may have zero hits on rules in Domain2 if Domain1 is the primary Site, especially if you've not had a DR event during the time period you're searching for the zero hit rules. Just something I look out for when evaluating zero hit rules 🙂.

Hello.

Yes, I do indeed have MDS and VSX on my stage.
I have several domains in MDS that manage boxes that is located in 2 different geographical locations.
Both boxes form a VSX Cluster.
My MDS domains 'manage' instances of my VSX which also make a VSLS Cluster.
I am not very knowledgeable in these technologies, I apologize if my technical terms are not correct, but I hope I can be understood.

What we want is to connect to an MDS domain and try to collect this report related to the 0 Hits rules, using the API you suggest.

Hey bro,

I will also test it in the lab, probably Tuesday, as Im off Monday, and let you know if it works.

Andy

It doesn't matter if your domains are managing VSX, Maestro, or standard clusters - the script is reviewing policies per domain, not gateways. I was highlighting if your MDS has a domain managing primary Site A, with the DR Site B in another domain, you may get zero hit rules for Site B if you've not had a DR within 9 months. It's nothing to do with your VSX/VSLS/Domain configuration, it's just a caveat to consider.

Aaron, Im STILL waiting for my payment for helping with Azure VPN failover back in the day, haha. Just kidding, hope you are well man! Never seen that api command, will try it next week in the lab.

Cheers brother.

Andy

Hey Andy,

How could I forget?! Cheques in the post 😄. All well, thanks. Hope you're keeping well, too!

Aaron.

Glad to hear!

Andy

Hello, @AaronCP 

Is it possible that you can share with me your bash script, to test it in my environment?

Thank you.

I can share the script I tried, ping me privately with your details so I can email. 

I would also love to try it, sent you DM.

Andy

Hello, my friend.

I sent you a private message.

Is your help possible?

Thanks

Hi Matlu, 
We want to achieve the same thing for sure, I've sent the_rock the script file to see if he can get it working.  If you have scripting skills I can of course send to you as well, and see if you can get it working.  I think the end result will be of benefit to the community.

Hey @genisis__ 

Are you okay if I send that same script to @Matlu  and he can try?

Andy

sure - only caveat, its early stage script that clearly needs work, so lab use only.

Sounds good.

Hey,

For starters, what is the closest command that can show you all the rules that are disabled in a policy package?

Is there any other way to get this information?

Is exporting the policy package from the SmartConsole itself in Excel an option?

Im still trying to see how to make script work in a way that would show it in a really nice way.

Andy

The API does not show you just "disabled" rules, you have to dump the API output and filter it.
If you're using a shell script, you'll probably use jq to do that.

In any case, it looks like this tool will do exactly what you're asking for (disable unused rules after X days), why not use it versus trying to reinvent the wheel? https://github.com/CheckPointSW/PolicyCleanUp 

yes the script does use jq to extract data (at least that's the idea).  What I want is the add the data into a html file in human readable format so we can use this output to form the basis of a change.

I'll have a look at the script you have suggested as well, but I don't think it does the html part which is what I'm after ie.

Its definitely a good start. Im on vacation for couple of weeks, but will definitely work on it more when Im back.

Andy

That script outputs JSON, which surely can be converted to HTML using an external tool.

Hello,

Sorry, but I have checked the link you have shared with me and it seems strange to me but I am seeing something that has nothing to do with what we are talking about.

The article is related to SAML.

Is this the link I should check, or maybe you may have made a mistake with the link?

Thanks for your help.