This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 05:37 AM

Getting top used rules via command line

Hey guys,

Apologies if this was answered before, but I remember while back, I always used to run command that would show me top 10 used rules on the firewall, but cant recall now what it was, as its been probably close to 10 years since I ran it. I know connstat, but thats only for windows. I also tried cpstat blades, but it does not show me anything there.

I think it was some sort of flag with fw tab, but IM not sure. If someone has an idea, would appreciate any feedback.

Tx as always!

 

Had a look at below, but not exactly what Im after:

https://community.checkpoint.com/t5/General-Topics/How-to-see-what-firewall-rules-match-some-traffic...

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topic...

 

Best,
Andy
0 Kudos
13 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-11-10 05:57 AM

sk85780: How to use the 'connstat' utility

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 06:01 AM
In response to G_W_Albrecht

Thanks G, but thats only for Windows, this command was done from the fw itself.

Andy

Best,
Andy
0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2022-11-10 06:08 AM

cpstat blades
# cpstat blades

Packets accepted :          766249577
Packets dropped :           24321576
Peak number of connections: 19013
Number of connections:      5797

Top Rule Hits
-----------------------
|rule index|rule count|
-----------------------
|Rule 24   |    170186|
|Rule 36   |     59828|
|Rule 2    |     27792|
|Rule 15   |      1234|
|Rule 18   |      1026|
-----------------------
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 06:12 AM
In response to Danny

Weird...run it on vmware and actual 6000 series appliance, nothing.

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2022-11-10 06:21 AM
In response to the_rock

I have run the command in a Standalone environment, which is on an OPEN SERVER, and I get no results either.

It is very strange. 😣

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2022-11-10 06:14 AM
In response to Danny

Hello,

This command must be applied on the GW?
Or is it on the SMS?

Greetings.

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2022-11-10 06:25 AM
In response to Matlu

Gateway, of course.
On managements you can use this command:
psql_client monitoring postgres -c "select hits,rule_uid,netobj_name,policy_type from hitcount order by hits DESC"

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 06:53 AM
In response to Danny

Its cloud instance, so no ssh access.

Best,
Andy
0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2022-11-10 06:56 AM
In response to the_rock

So your Management is Smart-1 Cloud and your gateways are on-prem?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 07:22 AM
In response to Danny

Correct, for the customer, but in my lab, its all on prem.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 06:55 AM
In response to Danny

Btw, that command shows me top 5 rules for one customer using 6200, but another using 6400, nothing...wonder why. Also, my lab fw, in esxi, shows nothing for top rules.

 

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-11-10 07:26 AM
In response to the_rock

Was hit count enabled on all these ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-11-10 07:38 AM
In response to G_W_Albrecht

Yes sir Gunther...as a matter of fact, enabled for the last 2 years, which is maximum.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events