I know , I know, I have to get out of this Checkpoint-only land and am working on this ,but for today again comes the awk travelling diary on the Checkpoint firewall roads. As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things – for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only – i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted – e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:
awk -F\; ‘ {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print ” Rule number: ” rule_number ” Hits: ” rule_count[rule_number]}’ ./fw.log.txt | sort -n -k5
Rule number: Hits: 1197330 Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing Rule number: 2 Hits: 9 Rule number: 5 Hits: 366 Rule number: 11 Hits: 12296 Rule number: 9 Hits: 14457 Rule number: 0 Hits: 17094 Rule number: 1 Hits: 44066 Rule number: 7 Hits: 233643 Rule number: 10 Hits: 366275 Rule number: 6 Hits: 424639
Hi,
I’m running this command, but do not get the result of all rules only the total hits.
I need to change some syntax for that to happen?
I’m just getting this result:
Rule number: Hits: 1565351
Thanks, Junior Toledo
Well , strange – I run today this script against NGX R65 and R70.10 and had expected results. Hard to say why it doesnt work for you w/o looking at the log file format you use, so …
BTW I think of rewriting this script to calculate hit counts based on rules ID and not numbers that change after you add/remove rules, so watch for update