This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-10-04 05:14 PM

Delete rules without traffic R81.10

Hello, everyone.

Is there any accurate way to identify which rules are currently "no longer used" in GW?

I have a R81.10 console, but I have quite a few rules, in which I don't see HITS, but there are so many rules, and besides that, I'm not sure if the fact that a rule has no HITS, should make me assume that this rule can be removed.

Is there any way to validate which rules are the only ones currently "in use"?

Greetings.

0 Kudos
26 Replies
the_rock
Legend
Legend
‎2023-10-04 05:23 PM

I would say if rules show 0 hits, they are safe to remove. I found that in R81.10 and R81.20, those numbers are very accurate. From my extensive lab testing, I can confidently say that.

Andy

0 Kudos
Matlu
Advisor
‎2023-10-05 05:45 AM
In response to the_rock

Hello,

By default the column 'Hits', how long is it that 'filters' that option? 1, 2, 3 months?

Is there a way to set this 'hits' value?

Greetings

0 Kudos
the_rock
Legend
Legend
‎2023-10-05 05:48 AM
In response to Matlu

See attached bro.

Andy

From global properties, 2 years is the highest value.

 

Screenshot_1.png

 

 

 

0 Kudos
Henrik_Noerr1
Advisor
‎2023-10-09 06:31 AM
In response to the_rock

Hey @the_rock ,

I highly disagree on this part 🙂 We have some 80.000 firewall rules across our install base,

and have started a massive project cleaning up some +40.000 that is suspected unused.

We have found it neccessary to query our log system for logs with uid for each unused rule found in Smart Console.

We see around 1.000 rules that actually show logs in our log system (or smartlog) but hitcounter is 0.

I am just warning you to not bulk delete rules. In critical environments, whis will quickly lead to incidents.

I have spent many hours in the postgres db analyzing the design of the hit counter. (it's really bad) when we built all the logic behind the firewall cleaning

 

edit: we run r81.10 take NEW'ish - But I found this issue to be true on all versions. Not on r81.20 yet, but I see the db design is the same.

/Henrik 

the_rock
Legend
Legend
‎2023-10-09 06:34 AM
In response to Henrik_Noerr1

K, thats fair. Im just speaking from my extensive testing in the lab and production as well, it was accurate 100% of the time.

But, everyone's experience is different, I suppose.

Andy

PhoneBoy
Admin
Admin
‎2023-10-06 09:15 AM

You can retrieve the hit counts from API.
You can even make a decision to disable rules based on this information, similar to what this script does:
https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-Delete-Rules-with-a-Zero-Hit-Count-MD...

the_rock
Legend
Legend
‎2023-10-06 09:24 AM
In response to PhoneBoy

Whats the command to show rules with 0 hits? I cant seem to find it in the API guide

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-09 05:52 AM
In response to the_rock

The API will only tell you how many hits a given Access Rule has gotten.
You can write a script (similar to what I pointed to) that pulls out the rules have zero hits.

0 Kudos
the_rock
Legend
Legend
‎2023-10-09 06:15 AM
In response to PhoneBoy

Thats what I was trying to find in api guide, but could not. I searched for command that gives just the actual hits, but unable to locate one.

Andy

0 Kudos
Duane_Toler
Advisor
‎2023-10-09 12:04 PM
In response to the_rock

 

export RANGE_AGO="6 months"

export RANGE=$(echo ${RANGE_AGO}|sed 's/ //g')

export FROM_DATE=$(date -d "${RANGE_AGO} ago" +"%Y-%m-%d")

export TO_DATE=$(date +"%Y-%m-%d")

export MGMT_CLI_FORMAT=json



* MGMT_CLI locally on management server:

mgmt_cli show-access-rulebase name Network package Standard show-hits true hits-settings.from-date ${FROM_DATE} hits-settings.to-date ${TO_DATE}  use-object-dictionary false limit 350 > access_rules.last_${RANGE}.json



* REST API:  send this JSON body via 'curl' or whatever:

{ "name" : "Network",

 "show-hits" : true,

"hits-settings" : { "from-date" : "'${FROM_DATE}'", "to-date" : "'${TO_DATE}'" },

 "limit" : 350,

 "details-level" : "uid" }

 

0 Kudos
Scott_Paisley
Advisor
‎2023-10-09 09:31 AM

You can buy 3rd party firewall policy management tools that tell you 'last date hit' as well as how many hits.

We found a rule for TACACS access that has not been used for 2 years. Doesn't mean we don't need it, just that nobody logged into a particular set of switches in the last 2 years, which is probably good news.

0 Kudos
the_rock
Legend
Legend
‎2023-10-09 11:49 AM
In response to Scott_Paisley

Good to know...any specific tool you use/like?

Andy

0 Kudos
Scott_Paisley
Advisor
‎2023-10-09 11:52 AM
In response to the_rock

Tufin

the_rock
Legend
Legend
‎2023-10-09 11:56 AM
In response to Scott_Paisley

Never used it, but heard good things about it.

0 Kudos
Sven_Glock
Advisor
‎2023-11-20 06:05 AM
In response to Scott_Paisley

Algosec, too.

0 Kudos
SomAustrianCity
Participant
‎2023-10-10 01:58 AM

Hi

Just a note, while in my experience the Hits counter is correct, also think about when the rule was last modified. For example, if a rule was created yesterday, it's likely to not have any hits today.

So i usually take that into account when looking through the rulebase (manually) in order to disable unused rules. My rule of thumb is that a rule has not been used for a year and not been modified in this time either.

Regards

0 Kudos
the_rock
Legend
Legend
‎2023-10-10 03:09 AM
In response to SomAustrianCity

That makes sense, for sure. I can also say, again, from myown extensive testing, that in R81.20, hit count seems to be better than before, meaning, gets updated faster and I find is totally accurate.

But again, as I said previously, everyone's experience varies.

Andy

0 Kudos
CP_Chris
Employee Employee
Employee
‎2023-10-10 08:55 AM

I find that using the zero hits does not always paint a clear picture. What if the rule with zero hits is actually required, but there is another rule higher in the policy that is overly permissive? When I look at zero hit rules, I often will look for the source, destination, and service within the logs to determine if the traffic is allowed - or dropped - on a different rule. I then would review this other rule to determine if it is defined accurately, or if there is a need to modify it. If the other rule is defined correctly, but I need the zero hit rule for tracking purposes, then I will move the zero hit rule accordingly. Likewise, if the other rule is defined correctly, then I would delete the rule with zero hits. 

If I don't find the traffic in logs, now I can be a bit more assured the rule may not be needed. I still feel there needs to be some additional thought put into it though. Do you have an asset database? I would look up the owner of the asset and ask the question why is there a rule? Maybe it is something that only gets used in the event of an emergency - document that! Maybe it is an asset that has been decommissioned - what wasn't the firewall team notified? Is there a business process that is broken, or maybe needs to be defined? 

I think you can probably get the idea from here. Just because there are zero hits does not always mean the rule can be deleted. Most of the time it probably does, but always do your due diligence when you find these rules.

the_rock
Legend
Legend
‎2023-10-10 09:22 AM
In response to CP_Chris

Those are all valid points, for sure.

Andy

0 Kudos
Matlu
Advisor
‎2023-10-10 10:33 AM
In response to CP_Chris

Hello,

Is there a way to "export" in a report, all the rules that appear with "0 Hits" in our rule base?

In such a way, that a manual analysis can be done, in order to make a better decision on whether or not these rules should be deleted.

Greetings.

0 Kudos
the_rock
Legend
Legend
‎2023-10-10 11:32 AM
In response to Matlu

Have a look at attached file bro, rules in my lab, its all there.

Andy

Preview file
3 KB
0 Kudos
Zolocofxp
Collaborator
‎2023-10-12 01:39 PM

This is what I personally do... Every trimester I disable 0 hit rules(3 month counters), If after a month o so there are no complaints or no issues arise, I proceed to delete them.

So yes, if no hits after 3 months, it becomes a candidate for deletion. 

0 Kudos
Arne_Boettger
Collaborator
‎2023-11-20 05:57 AM

Is there any experience regarding NAT Hit Count? It was introduced in R81.10, but for me it looks like only rules leading to an actual address translation get hit counts. 

No-NAT-Rules above them (Source+Destination set, but both translated source and destination set to original) dont get any hits even though they match.

0 Kudos
the_rock
Legend
Legend
‎2023-11-20 06:12 AM
In response to Arne_Boettger

I just checked cloud instance on R81.20 and I can see that all the NAT rules supposed to be hit do show proper hit count and are updated.

Kind regards,

Andy

0 Kudos
Zolocofxp
Collaborator
‎2023-11-20 07:14 AM
In response to Arne_Boettger

I am on R81.10 T110 and my No NATs are showing hit count.

 

nonat.PNG

the_rock
Legend
Legend
‎2023-11-20 08:40 AM
In response to Zolocofxp

I found it with R81.20 it was very inconsistent, while with R81.20, consistent 100% of the time. Just my own experience : - )

Kind regards,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events