Solved: Re: NAT policy rules hit count not visible in .csv...

the_rock · ‎2023-02-23

Hey guys,

I was doing some R81.20 lab testing yesterday and its great to see that NAT rules hit count now works consistently, but weird thing is when I export the NAT rules in csv format, I dont see column for hit count.

If I do same for regular rules, its there and I see the actual hit count, like you see it in smart console. I did same for urlf+appc and content awareness ordered layer rules and hit count shows in csv file. I have a feeling maybe this is by design, but not 100% sure. Anyway, not a big deal, just curious : - )

Thanks as always for the help 🙌

Cheers,

Andy

the_rock · ‎2024-07-31

@Pedro_Madeira Just for the context, basic csv export shows hit count fine.

Andy

View solution in original post

Timothy_Hall

This issue has been fixed in R81.20 Jumbo 96+, note that not only do you need the latest JHFA installed you must also have the latest version of the SmartConsole as well. Access to the NAT hit counts is now accessible through the management API too:

RJ-51150,
PMTR-90911

Security Management

NEW: In SmartConsole, the CSV export file of Access Policy NAT rules now contains the hit count data: "Hits", "First Hits" and "Last Hits" columns.

Requires R81.20 SmartConsole Build 661 or higher.

PRJ-56656,
PMTR-92241

Security Management

NEW: The "show nat-rule" and "show nat-rulebase" Management API commands now support displaying hit count data with optional date range filtering through the "show-hits true" parameter, allowing users to retrieve hit statistics for NAT rules with flexible time-based querying in JSON format.

Syntax examples:

mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" --format json
mgmt_cli show nat-rulebase offset 0 limit 20 details-level "standard" use-object-dictionary true package "standard" show-hits true --format json
mgmt_cli show nat-rule rule-number 1 show-hits true package "standard" hits-settings.from-date "2014-01-01" hits-settings.to-date "2014-12-31T23:59" --format json

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

PhoneBoy · ‎2023-02-27

@Tomer_Noy does the export for NAT rules via SmartConsole include hit count information?

the_rock · ‎2023-02-27

If not, this is my unofficial RFE sumbission request ; - )

Andy

Youssef_Obeidal · ‎2023-02-28

Hi,

We will look into it for the next version and try to backport it to JHF of recent versions

the_rock · ‎2023-02-28

I had customer ask me about it, but I told them since their S1C instance will be upgraded soon to R81.20, at least they will be able to consistently see NAT rules hit count in the dashboard, so thats better than not see it at all : - ). We were hoping with everything being on R81.10 it would work as well, but sadly not...if they are lucky, works one out of 30 policy installs.

rajes27 · ‎2023-08-21

Hi,

Is there any update on this or way to export NAT rules with hit count details. I even tried with mgmt api, looks like the hit count details are not present for NAT rules like in access rules. Please help / share if there is any way.

Youssef_Obeidal · ‎2023-08-22

Hi,

We are working to add a NAT hitcount to the Management API and to the export functionality in SmartConsole.

We will deliver it to the Jumbo branch as well once ready.

Pedro_Madeira · ‎2024-07-31

Hello @Youssef_Obeidal

Do you know if this was already integrated or near integration?

A customer of ours needs this functionality of exporting the NAT rules with hit counts.

Thank you,

Pedro Madeira

the_rock · ‎2024-07-31

@Pedro_Madeira Just for the context, basic csv export shows hit count fine.

Andy

Pedro_Madeira · ‎2024-08-06

Hello,

Thanks for your reply.

I just tested in another customer's R81.20 to export the access control and NAT rule base but I'm still missing hits.

I might be missing some kind of option to include it. The columns I'm getting are:

No.,Type,Name,Original Source,Original Destination,Original Services,Translated Source,Translated Destination,Translated Services,Install On,Comments

Any pointers?

Thank you once again.

PM

the_rock · ‎2024-08-06

Did you make sure 100% hits column is enabled?

Andy

Pedro_Madeira · ‎2024-08-06

Yes. I have the columns enabled.

Do you think I need a more recent version than JHFA T65?

Which version and JHFA are you using to export?

the_rock · ‎2024-08-06

Im on jumbo 76, but it worked even when I was on way lower jumbo, so thats probably not an issue. Maybe try reboot the mgmt to see if it makes any difference.

Andy

Pedro_Madeira · ‎2024-08-06

I found out what the problem was. I have to have the hits column enabled everywhere for it to be exported, so in Access Control Rules layer, URLF/AppCtrl layer and NAT. If it's not enabled in each one, the export doesn't come out with hits.

I have it working now. Thanks for your tips buddy. You Rock 🙂

the_rock · ‎2024-08-06

Thats right my friend. Glad we can help 🙂

Best,

Andy

AOBELAR

Good afternoon! I have the same problem that you had, but in my case I have the HIT column active in all the layers and even so the excel does not export with the hits.

the_rock

What version of mgmt/gw?

Andy

AOBELAR

Hello good! How's it going? thanks for answering. The MGM 81.20 and GW 81.10

the_rock

I cant sadly speak for R81.10, as I never tested it in that version, but in R81.20, both mgmt and gateway, works fine. Let me try in the lab shortly, just to confirm.

Andy

the_rock

@AOBELAR I would open TAC case to check this, since I have R81.20 jumbo 92 in the lab (mgmt and gateways) and hits on NAT rules does NOT show up when you export nat rules (but it does in nat policy), but works on every other layer. I even unchecked hits, push policy, same thing.

Andy

the_rock

K, this is really bothering me now, lets see if I can solve it till 2025 lol

Btw, I refreshed hit count, installed policy, installed database, no luck...I dont get it. Mind you, since I made this post, I had to reinstall mgmt couple times, but it is latest R81.20 jumbo 92 version, same as gateways.

If I make any headway, will let you know, but will more on it Monday, since its almost end of the day for me. I will try fix in in next 45 mins.

Andy

the_rock

I ended up asking AI copilot and closest thing it found was below, BUT, this does not apply to NAT rules, since option is nott there :- (

Andy

https://support.checkpoint.com/results/sk/sk177265

AOBELAR

Thank you very much for your answers, the truth is that I try several things, extracting it through API or CLI. I don't understand how to get displays in the Smartconsole yet.

the_rock

You can easily see them in smart console, but when you export nat rules in csv format, you can NOT see hits : - (

Andy

AOBELAR

That's how you say, on the SmartConsole I see it perfect.

the_rock

Let me play around with it more and see. I will reboot mgmt server and try again and let you know.

Andy

the_rock

Nothing...just rebooted, exact same issue, makes no sense.

Its R81.20 latest jumbo, 92.

Andy

the_rock

@PhoneBoy Any clue why this does not seem to work? I even reset all hit_count values in Guidbedit, installed policy, put them back how they were by default, pushed policy again, same issue...all hit counts show for regular layers, but for NAT, absolutely nothing : - (

Andy

AOBELAR

I didn't find any logic either.

the_rock

Lets see what Phoneboy says...I cant honestly think of anything else to try. I even rebooted all the lab gateways as well (on top of mgmt), same problem.

Andy

Are you a member of CheckMates?

NAT policy rules hit count not visible in .csv export file