This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
m2kujawa
Participant
‎2021-03-21 05:59 AM

Hit count mismatch

Hi,

I'm trying to pull hit count for each rule in a policy using API command but there is a mismatch between what's shown in Smart Console and the output of the API command. Could someone please explain where the mismatch is coming from, or what I do incorrectly?

Some more details -There are 2 rules in my lab setup, the first one is showing 44 hits, and the cleanup rule shows 4k hits. However, when I run the API command to see the rulebase, hits value on each rule is 0.

Attached screenshot with hit count from Smart Console and below is the API command I ran and its the output.

 

 

[Expert@Check_Point_R81_SMS:0]# mgmt_cli show access-rulebase name "Network" show-hits "True" --format json
Username: admin
Password:
{
"uid" : "f5cec687-05e5-4573-b1dc-08119f24cbc9",
"name" : "Network",
"rulebase" : [ {
"uid" : "82062c9a-1099-4f3d-918e-25603854d236",
"name" : "Access to SMS and SG",
"type" : "access-rule",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"rule-number" : 1,
"track" : {
"type" : "598ead32-aa42-4615-90ed-f51a5928d41d",
"per-session" : false,
"per-connection" : true,
"accounting" : false,
"enable-firewall-session" : false,
"alert" : "none"
},
"source" : [ "0bc5427d-8710-46b3-8893-d5e3ccc303d8" ],
"source-negate" : false,
"destination" : [ "90b6263c-cbd7-964a-9b9e-b67f29873a79", "4e881b81-e941-474b-a7a4-2cdd9fa997b1" ],
"destination-negate" : false,
"service" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"service-negate" : false,
"vpn" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"action" : "6c488338-8eec-4103-ad21-cd461ac2c472",
"action-settings" : {
"enable-identity-captive-portal" : false
},
"content" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"content-negate" : false,
"content-direction" : "any",
"time" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"hits" : {
"percentage" : "0%",
"level" : "zero",
"value" : 0
},
"custom-fields" : {
"field-1" : "",
"field-2" : "",
"field-3" : ""
},
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1616299109471,
"iso-8601" : "2021-03-21T03:58+0000"
},
"last-modifier" : "admin",
"creation-time" : {
"posix" : 1616295963413,
"iso-8601" : "2021-03-21T03:06+0000"
},
"creator" : "admin"
},
"comments" : "",
"enabled" : true,
"install-on" : [ "6c488338-8eec-4103-ad21-cd461ac2c476" ]
}, {
"uid" : "53fcfdbf-9053-45c6-93ae-c8ab4c442798",
"name" : "Cleanup rule",
"type" : "access-rule",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"rule-number" : 2,
"track" : {
"type" : "598ead32-aa42-4615-90ed-f51a5928d41d",
"per-session" : false,
"per-connection" : true,
"accounting" : false,
"enable-firewall-session" : false,
"alert" : "none"
},
"source" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"source-negate" : false,
"destination" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"destination-negate" : false,
"service" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"service-negate" : false,
"vpn" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"action" : "6c488338-8eec-4103-ad21-cd461ac2c473",
"action-settings" : { },
"content" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"content-negate" : false,
"content-direction" : "any",
"time" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"hits" : {
"percentage" : "0%",
"level" : "zero",
"value" : 0
},
"custom-fields" : {
"field-1" : "",
"field-2" : "",
"field-3" : ""
},
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1616299111286,
"iso-8601" : "2021-03-21T03:58+0000"
},
"last-modifier" : "admin",
"creation-time" : {
"posix" : 1603000865309,
"iso-8601" : "2020-10-18T07:01+0100"
},
"creator" : "System"
},
"comments" : "",
"enabled" : true,
"install-on" : [ "6c488338-8eec-4103-ad21-cd461ac2c476" ]
} ],
"objects-dictionary" : [ {
"uid" : "6c488338-8eec-4103-ad21-cd461ac2c472",
"name" : "Accept",
"type" : "RulebaseAction",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "97aeb369-9aea-11d5-bd16-0090272ccb30",
"name" : "Any",
"type" : "CpmiAnyObject",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "4e881b81-e941-474b-a7a4-2cdd9fa997b1",
"name" : "Check_Point_R81_SG",
"type" : "simple-gateway",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
}
}, {
"uid" : "90b6263c-cbd7-964a-9b9e-b67f29873a79",
"name" : "Check_Point_R81_SMS",
"type" : "checkpoint-host",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
}
}, {
"uid" : "6c488338-8eec-4103-ad21-cd461ac2c473",
"name" : "Drop",
"type" : "RulebaseAction",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "598ead32-aa42-4615-90ed-f51a5928d41d",
"name" : "Log",
"type" : "Track",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
}, {
"uid" : "0bc5427d-8710-46b3-8893-d5e3ccc303d8",
"name" : "MKUJ_PC",
"type" : "host",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"ipv4-address" : "192.168.10.1"
}, {
"uid" : "6c488338-8eec-4103-ad21-cd461ac2c476",
"name" : "Policy Targets",
"type" : "Global",
"domain" : {
"uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name" : "Check Point Data",
"domain-type" : "data domain"
}
} ],
"from" : 1,
"to" : 2,
"total" : 2
}
[Expert@Check_Point_R81_SMS:0]#

Preview file
159 KB
0 Kudos
8 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2021-03-21 09:21 AM

Maybe try with lowercase 't' in "true"? In an API tool I'm working on, this is the exact body I use in a request for rule information:

["uid":id.uuidString,
"use-object-dictionary":"false",
"show-hits":"true",
"details-level":"full",
"limit":limit,
"offset":offset]

I then use my language's JSON serializer which maintains case to convert that list into a JSON object for my request.

I definitely get hit data from my development SmartCenter using that request body.

0 Kudos
m2kujawa
Participant
‎2021-03-22 03:13 PM
In response to Bob_Zimmerman

Hi Bob,
Thanks for the quick reply.

I've tried 4 different variations ("True", "true", True, true), and none of them raise an error for invalid input. Also, all of them cause the hit count section to be displayed in the output. Unfortunately, it doesn't matter which option I use, hit count displayed in CLI is always 0.

I've also noticed another strange thing, when I put the cursor over hit count in Smart Console, even though I can see the number of hits on each rule, and logs on the bottom that confirm I get hits, it says 'Zero Hit Count Level' (see attached).

Preview file
148 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-22 04:03 PM
In response to m2kujawa

I recommend a TAC case here.

0 Kudos
m2kujawa
Participant
‎2021-03-22 04:49 PM
In response to PhoneBoy

Thank you for the suggestion. 

It's my private setup using an evaluation licence that I use for training, and I'm not a Checkpoint customer. Can I still raise a TAC case?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-22 11:15 PM
In response to m2kujawa

You probably can't do that without a support agreement in place.
That said maybe @Omer_Kleinstern can confirm if this is a known bug or not.
What JHF are you running on R81?

m2kujawa
Participant
‎2021-03-23 04:28 AM
In response to PhoneBoy

It's a fresh install of R81. Please find the output below for details.

 

[Expert@Check_Point_R81_SMS:0]# cpinfo -y all

This is Check Point CPinfo Build 914000214 for GAIA
[IDA]
No hotfixes..

[MGMT]
No hotfixes..

[CPFC]
No hotfixes..

[FW1]
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81 - Build 287
This is Check Point's software version R81 - Build 959

[SecurePlatform]
No hotfixes..

[CPinfo]
No hotfixes..

[AutoUpdater]
No hotfixes..

[DIAG]
No hotfixes..

[Reporting Module]
No hotfixes..

[CPuepm]
No hotfixes..

[VSEC]
No hotfixes..

[SmartLog]
No hotfixes..

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[SFWR80CMP]
No hotfixes..

[R77CMP]
No hotfixes..

[R8040CMP]
No hotfixes..

[R75CMP]
No hotfixes..

[FLICMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPUpdates]
BUNDLE_DC_CONTENT_AUTOUPDATE Take: 9
BUNDLE_GOT_MGMT_AUTOUPDATE Take: 71
BUNDLE_DC_INFRA_AUTOUPDATE Take: 20
BUNDLE_GOT_TPCONF_MGMT_AUTOUPDATE Take: 30


[Expert@Check_Point_R81_SMS:0]#

0 Kudos
Omer_Kleinstern
Employee
Employee
‎2021-03-25 10:40 AM
In response to m2kujawa

Hi @m2kujawa 

There in a known limitation in the returned hit count data when the time range is less than 24 hours (sk166717, PMTR-54350).

Can you try to add hits-settings with more than the last 24 hours?

 

Thanks,

Omer

m2kujawa
Participant
‎2021-03-28 07:50 PM
In response to Omer_Kleinstern

Hi @Omer_Kleinstern,

Thanks, that's good to know. I've tried to query rulebase with a hit count older than the last 24 hours and it worked just fine.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events