Rule Consolidation

[shaz86]

Hey I'm a new checkpoint user and I could use some tips/help on this project I'm working on. I need to clean up and consolidate the rules for a really complicated and bloated rule set (500+ rules). Most of the rules DONT have logging enabled and I want to know if there is an easy way to check if the rules are being used or not. Also any other tips on how to consolidate the rules would be very useful. Thanks!

[kva.kva]

IMHO, Reporter is helpful, but you will need rules with log. I don't see another way.

[shaz86]

I was hoping that wouldn't be the case, logging so many rules is almost impossible. Unfortunately I don't have reporter either. If anyone has any other tips, it would really help!

[donshoutarp]

You could turn logging on for a couple of rules and monitor their usage for a month or so (or whatever you think necesssary), turn off logging and turn it on for other rules.

This would take a while, but it may work.

[Sergej]

You can use SmartViev Monitor to get some information.

Create new report "File > New > Traffic View"
Create either history "Top Matched Security Rules On all interfaces" either RealTime "Security Rules" report. In the real-time modify Max Rules To Show (unfortunately max is 50, but not 500+ like in yours situation)

Eventia Reporter also includes very useful report: Standard > Security > Rule Base Analyzer. Here is exempt from description:

---
This report presents an analysis of FireWall-1 rule base.

The report can be used to determine which rules are used the most, which rules are used infrequently and which rules are never used. It can also be used to determine which rules are matched by service, source, and destination.

Rules are presented by their location in the policy at the time of report generation, while their usage data is gathered by their unique ID where possible. If no unique ID data is available, the rules are marked with an asterisk.
---

I guess logging do not need to be enabled on all rules to use this report. Am I wrong?

[kva.kva]

Quote:

I guess logging do not need to be enabled on all rules to use this report. Am I wrong?

You right. I mistook about log options. I forgot that consolidation rules are individual.