CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 9 of 9

Thread: Rule base optimiization

  1. #1
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default Rule base optimiization

    Hello Guys,

    Is there anyways we could find out top 10 rules which are getting more hits, I see TAC taking fw tab -t output with other flags included based on which they provide the top 10 rules + services which are getting hit.

    Currently I am facing some CPU issue on a client firewall and I wanted optimize rule base and make sure securexl works properly.

    Any suggestions are always appreciated.

    Regards,
    Krishna

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    7

    Default Re: Rule base optimiization

    the full command is:

    fw tab -t connections -u > connections.txt

    That 'connections.txt' file is then run through an internal tool to generate the output that TAC provides.

  3. #3
    Join Date
    2007-05-15
    Posts
    21
    Rep Power
    0

    Default Re: Rule base optimiization

    If you're running R75+ there is a hit count option that you could enable although I don't know of a way to sort by that, would be a matter of scrolling through them but can filter on hits:"very high" or hits:high etc

    Also run "fwaccel stat" to make sure SecureXL isn't being disabled by a rule that is high up in the rulebase.

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    7

    Default Re: Rule base optimiization

    Quote Originally Posted by cameronem View Post
    If you're running R75+ there is a hit count option that you could enable...
    Note: the hit count is only for R75.4x and later. R75 base does not have this feature. Neither does R75.20, and thus all 1100 appliances.

  5. #5
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default Re: Rule base optimiization

    Quote Originally Posted by jdmoore0883 View Post
    Note: the hit count is only for R75.4x and later. R75 base does not have this feature. Neither does R75.20, and thus all 1100 appliances.
    Yea I know the hitcount can be used to find out top rules, but I somehow feel fw tab connections would be more granular for my purpose.

    Currently I able to use some syntax which I learnt through this forum :) with fw tab and I could see top 10 src and dst, similar to this I am trying to findout top rules and services getting hit

  6. #6
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default Re: Rule base optimiization

    Quote Originally Posted by jdmoore0883 View Post
    the full command is:

    fw tab -t connections -u > connections.txt

    That 'connections.txt' file is then run through an internal tool to generate the output that TAC provides.

    This is something I am trying to figure out if we could get an access to such tool :D ha ha ha.

    I have seen many cases where TAC takes the output and gives us top rules and services getting hit, I am try hard with diff options to get the same result without TAC

  7. #7
    Join Date
    2008-04-23
    Location
    Germany
    Posts
    21
    Rep Power
    0

    Default Re: Rule base optimiization

    I'm not sure what the output your Check Point TAC provides looks like, but it's fairly simple to get some current statistics from this readable, formatted output file:
    Code:
    fw tab -t connections -u -f > /tmp/fwconnectiontable
    Note that this file seems to contain a lot of "duplicate" or dummy entries, probably for internal usage. From what I understand, every entry that contains a "Rule" statement represents a unique connection though there might be a better way to filter it. But the totals match up close with the FWs concurrent connection counter.

    So you can grep through the logs like this:
    Code:
    Top Rules:
    # grep Rule /tmp/fwconnectiontable | grep -oP 'Rule:[^;]+' | sort | uniq -c | sort -rn | head
      15478 Rule: 13
       6624 Rule: 48
       5207 Rule: 40
       1059 Rule: 29
       1025 Rule: 12
        540 Rule: 30
    [...]
    
    
    Top Services (Destination Ports): (Ignore the 0 DPort)
    # grep Rule /tmp/fwconnectiontable | grep -oP 'DPort:[^;]+' | sort | uniq -c | sort -rn | head
      46468 DPort: 0
      12503 DPort: 53
      10150 DPort: 80
       8125 DPort: 443
        253 DPort: 8080
         97 DPort: 123
         89 DPort: 25
    [...]
    
    
    Top Sources:
    # grep Rule /tmp/fwconnectiontable | grep -oP 'Source:[^;]+' | sort | uniq -c | sort -rn | head
      19319 Source: [REDACTED]
      12028 Source: [REDACTED]
       9511 Source: [REDACTED]
       5967 Source: [REDACTED]
    [...]
    And so on.

    You can also analyze firewall logs from your management with scripts like this:
    https://alpacapowered.wordpress.com/...is-rule-usage/
    Last edited by mkguy; 2015-02-23 at 06:08.

  8. #8
    Join Date
    2014-10-03
    Posts
    14
    Rep Power
    0

    Default Re: Rule base optimiization

    If you use smartlog, you can look at "Top firewall rules" there as well. If you manage several firewalls, search for "origin:name_of_firewall" so you get only rules for that firewall.

  9. #9
    Join Date
    2012-08-10
    Posts
    18
    Rep Power
    0

    Default Re: Rule base optimiization

    Quote Originally Posted by mkguy View Post
    I'm not sure what the output your Check Point TAC provides looks like, but it's fairly simple to get some current statistics from this readable, formatted output file:
    Code:
    fw tab -t connections -u -f > /tmp/fwconnectiontable
    Note that this file seems to contain a lot of "duplicate" or dummy entries, probably for internal usage. From what I understand, every entry that contains a "Rule" statement represents a unique connection though there might be a better way to filter it. But the totals match up close with the FWs concurrent connection counter.

    So you can grep through the logs like this:
    Code:
    Top Rules:
    # grep Rule /tmp/fwconnectiontable | grep -oP 'Rule:[^;]+' | sort | uniq -c | sort -rn | head
      15478 Rule: 13
       6624 Rule: 48
       5207 Rule: 40
       1059 Rule: 29
       1025 Rule: 12
        540 Rule: 30
    [...]
    
    
    Top Services (Destination Ports): (Ignore the 0 DPort)
    # grep Rule /tmp/fwconnectiontable | grep -oP 'DPort:[^;]+' | sort | uniq -c | sort -rn | head
      46468 DPort: 0
      12503 DPort: 53
      10150 DPort: 80
       8125 DPort: 443
        253 DPort: 8080
         97 DPort: 123
         89 DPort: 25
    [...]
    
    
    Top Sources:
    # grep Rule /tmp/fwconnectiontable | grep -oP 'Source:[^;]+' | sort | uniq -c | sort -rn | head
      19319 Source: [REDACTED]
      12028 Source: [REDACTED]
       9511 Source: [REDACTED]
       5967 Source: [REDACTED]
    [...]
    And so on.

    You can also analyze firewall logs from your management with scripts like this:
    https://alpacapowered.wordpress.com/...is-rule-usage/
    You made my day :) this is exactly what I was looking for. I will hook upon this information to further optimize.

    Thanks you!!!!!!!

Similar Threads

  1. Merge Rule Base in a CMA
    By manuadoor in forum Provider-1 (Multi-Domain Management)
    Replies: 0
    Last Post: 2011-11-02, 07:28
  2. Migrating Rule Base from one CMA (SCS) to Another
    By manuadoor in forum Messaging Security
    Replies: 0
    Last Post: 2011-01-05, 06:29
  3. rule base via HTTPS
    By MONIQUE in forum SmartDashboard
    Replies: 4
    Last Post: 2008-01-23, 11:50
  4. Rule Base Order
    By usmanshaikh in forum CCSA NGX Exam 156-215.1 (No Longer Offered)
    Replies: 3
    Last Post: 2007-04-03, 16:17
  5. Details on Rule base
    By sridharraj80 in forum Miscellaneous
    Replies: 1
    Last Post: 2007-03-03, 10:50

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •