awk weekly - Security rule hits statistics . Checkpoint


As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things - for example script that gives statistics of how many times each Security rule was hit . Be aware that this counts explicit Security rules only - i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted - e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:

awk -F\;  ' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: "  rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5 
    Rule number:  Hits: 1197330 <strong> Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing</strong>
     Rule number: 2 Hits: 9
     Rule number: 5 Hits: 366
     Rule number: 11 Hits: 12296
     Rule number: 9 Hits: 14457
     Rule number: 0 Hits: 17094
     Rule number: 1 Hits: 44066
     Rule number: 7 Hits: 233643
     Rule number: 10 Hits: 366275
     Rule number: 6 Hits: 424639 

Update 2012 Below is the script to use Rule ID instead of Rule sequential numbers - this way changing rules order will not affect statistics. The script matches also non-security rules - e.g. email session id, that are a bit shorter then Rule ID, but I didn't want to slow down the processing with additional formatting .

awk -F\;  ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: "  rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5 
    Rule number: D199972C-ED3E-4EB4-8B83-813333156D18 Hits: 175
     Rule number: 85A905A7-951E-4100-A4BA-E13333151D29 Hits: 219
     Rule number: 81333316-E942-4313-BB7D-E1333315802F Hits: 1519
     Rule number: 71333215-2DB5-4A3A-95BC-5080AD0F5564 Hits: 2298
     Rule number: 11331315-AE52-44E0-A42A-711029B5768E Hits: 3755
     Rule number: 01333315-D290-4B05-AFE7-23BF24D889FF Hits: 4116
     Rule number: 121FA62F-3885-4328-8090-BF1333315eB1 Hits: 399793
     Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101
     Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341
    Running time for a file of 900 Mb with 4.7 million records
    real    5m50.287s
    user    4m22.890s
    sys     0m3.190s

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.