I was afraid of that. 😞

Im sure it will come in new version.

The challenge with inline layers is that they are not integrated into the regular rule framework but are instead referenced within the internal database. As a result, a parser would be required to index the database for inline layers. This is particularly difficult when developing SmartConsole plugins, because every interaction with the API triggers a confirmation prompt—a security feature of Check Point—which would lead to an excessive number of confirmations. From my perspective, this approach is not practical.

For several years, I have hoped that Check Point would introduce an alternative mechanism, such as a signing key for trusted SmartConsole application developers. Unfortunately, such a solution does not exist.

Maybe I should apply to Check Point as a programmer. 😀

Yes i get it. We had a script long ago (done by Val? Not sure anymore) which did same on cli and printed out list of api commands to deactivate or delete the unused policies.

If only this would work with inline layers, I could finally show a few people quite clearly how much useless stuff has accumulated in the database that should finally be gotten rid of.

I still feel what I mentioned yesterday to @Matlu is at least good workaround, as it would give all the rules with 0 hits.

Hello, @HeikoAnkenbrand 

I have tested the tool in a production environment, and I have the following comments.

- In MDS, what @the_rock  mentions is true; the URL is uploaded for each CMA that interests us.

- The tool works well, but with one important detail: when you have very large “policy packages” with more than 100 rules, the tool no longer works.

- I have tested it on four policy packages belonging to the same CMA, and the result is that when the policy packages have few rules, it works well, but in policy packages that, at least in my case, have more than 500 rules, the tool is unable to display data, even though there are many rules with zero hits.

- The tool does not survive reboots (if you reboot your SMS/MDS, the extension is not retained).

Is this a limitation of the tool that can be corrected?

This sounds like the tool is not properly parsing large rulebases, which requires multiple API calls using limit/offset parameters to get all the results.

Its odd, cause I gave it to a customer with about 250 rules and worked just fine...not MDS mind you, but I dont believe it should matter.

That's a good suggestion. I would add the "creation date", as well, as most of the times we don't want to remove the rules that are created or modified recently (probably in order to facilitate for some traffic that is expected in the future).

Gave this to few clients, they all LOVED it, really useful.

Andy

@satish_Puri see the interactive guide here: https://support.checkpoint.com/results/sk/sk171436#Extension

Or see here: https://community.checkpoint.com/t5/Management/How-to-extend-and-enhance-SmartConsole/td-p/41429

Just follow what @_Val_ and @Ingard provided.

Andy

In “Heavy Policy Packages,” the tool does not display results. 😭

Just to make sure, you did press "show rules"?

I've tried it several times, but it doesn't show anything.
When there are “few” policies, it shows you the results, but in packages that have more than 100 rules, it doesn't show anything.

Odd bro...I gave it to a customer that has almost 200 rules and worked fine for them.

It's strange.
I have several policy packages, and it works well for me only on those with few policies, but on those where it doesn't work, most have more than 100, 500, or 1000, and it's on these packages that nothing is observed.

So if you export those rules in csv format, how many do you see with zero hits?

For example, this is another policy package, with more than 500 rules, and nothing appears.

I exported the policy package to CSV.
The package has 700 rules, but 507 rules have 0 hits.

And as you can see, at least in my case, the tool does not show me those 507 rules in SmartConsole 😭

Okay...and clicking show rules, still nothing?

I tried again, and it still doesn't work.
That's strange.

One question:

Is the policy package “export” file 100% reliable?
Could it be a temporary solution to rely on the 0 hits shown in the CSV?
Unfortunately, the tool is not working well in my scenario with a large number of rules.

I believe it would be reliable, yes. Not sure what to tell you brother, works for me 100%.