I think I did not explain well our need.

From our MDS, or maybe from our Smart Event that we also have, is it possible to generate a report that allows us to “know” how many firewall rules have 0 Hits for more than 90 days?

We want to “optimize” our rule base, and detect which rules are not being used for a long time.

Cheers. 🙂

You explained it perfectly the first time.
The product does not offer something like this in the UI, thus why I provided an alternative solution.

Hey @Matlu,

If you don't have a 3rd party tool like Tufin or AlgoSec, as PhoneBoy said, you'd need to use the Check Point Management API.

We've done this on our MDS using a bash script. The script uses various API commands to loop through each domain, and every policy package within that domain to query the rulebases for zero hit rules and extract the resultant rules into a CSV file that contains the rule UIDs, source, destination & port information. The API to query the rulebase is 'mgmt_cli show access-rulebase'. You can pass additional arguments to query the hit count of the rules within the policy, including the ability to specify from/to dates. One thing to note is that the maximum number of rules you can query is 500, so you need to recursively loop through the rulebases if they contain more than 500 rules. Here's an example output of the API call from the Check Point Management API reference guide:

mgmt_cli show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" hits-settings.target "corporate-gw" --format json
• "--format json" is optional. By default the output is presented in plain text.

You can use jquery to filter the hit count to only return results equal to zero.

Hello, Aaron.

Could I use the API that you have shared with me in each domain (CMA) that I have in my MDS?

If I want to get the result of the rules with 0 Hits for the last 3 months (90 days), it would only be a matter of playing with the dates of the query you shared with me, right?

Cheers

That's right. You'd need to write a script to do a 'show domains' and pass the output as a variable, like DOMAIN=$"mgmt_cli -r true show-domains -f json | jq -r .name". You then pass the variable into a for or while loop to loop through the domains, such as mgmt_cli -r true - d "$DOMAIN" show-packages -f json, extract the packages and filter for the access control policy name, and so on. Eventually, once you've extracted all of the policy names per domain (let's say into a variable name $POLICY), you can execute the command to query the policy for zero hits using this variable. For example: mgmt_cli - r true -d "$DOMAIN" show-access-rulebase name "$POLICY" limit 500 details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" -f json.

Not sure if some of your domains manage separate DCs (Domain1 manages Site A and Domain2 manages Site B, with Site A being the active site), but bear in mind in that scenario you may have zero hits on rules in Domain2 if Domain1 is the primary Site, especially if you've not had a DR event during the time period you're searching for the zero hit rules. Just something I look out for when evaluating zero hit rules 🙂.

Hello.

Yes, I do indeed have MDS and VSX on my stage.
I have several domains in MDS that manage boxes that is located in 2 different geographical locations.
Both boxes form a VSX Cluster.
My MDS domains 'manage' instances of my VSX which also make a VSLS Cluster.
I am not very knowledgeable in these technologies, I apologize if my technical terms are not correct, but I hope I can be understood.

What we want is to connect to an MDS domain and try to collect this report related to the 0 Hits rules, using the API you suggest.

Hey bro,

I will also test it in the lab, probably Tuesday, as Im off Monday, and let you know if it works.

Andy

It doesn't matter if your domains are managing VSX, Maestro, or standard clusters - the script is reviewing policies per domain, not gateways. I was highlighting if your MDS has a domain managing primary Site A, with the DR Site B in another domain, you may get zero hit rules for Site B if you've not had a DR within 9 months. It's nothing to do with your VSX/VSLS/Domain configuration, it's just a caveat to consider.

Aaron, Im STILL waiting for my payment for helping with Azure VPN failover back in the day, haha. Just kidding, hope you are well man! Never seen that api command, will try it next week in the lab.

Cheers brother.

Andy

Hey Andy,

How could I forget?! Cheques in the post 😄. All well, thanks. Hope you're keeping well, too!

Aaron.

Glad to hear!

Andy

Hello,

Sorry, but I have checked the link you have shared with me and it seems strange to me but I am seeing something that has nothing to do with what we are talking about.

The article is related to SAML.

Is this the link I should check, or maybe you may have made a mistake with the link?

Thanks for your help.

O yea, that was my post back in the day, totally forgot about it 😃

Andy

Do you think it will work on R81.10+?

Ideally it would be great if we could have a script that generates a list of rules with there UIDs with zero hit counts, ideal html format.  We could then present that a client which would form the basis of a change to remove these.

Next - and I think more challenging,  review the existing rule to determine if all object in a rule are actually being used, so that a further cleanup could be done by removing unused objects within a rule that has hits against it.

I know this is all possible, but just needs a good scripter who know checkpoint.  It would be an invaluable tool for us all.

Food for thought Checkpoint - Perhaps this could be a function built into SmartEvent, after all all the information is potentially there (R83+)

Yes, it does work, I tested in R81.20 and R82. Script that does clean up of those rules would be excellent.

Andy

Will give it a go, may have to stump up a lab with some data though.

Let me know if you need me to test anything.

Andy

thanks,  I've generated some code in chatGPT, so will be interesting to see if that actually works.  Will pass it over soon.

Sounds good @genisis__