Check Point Firewall – Find Your Top 5 Rules Used on the CLI

July 15, 2017 | Filed Under: Check PointFirewallHow ToOperationsSecureXL

An easy way to find out your top 5 used rules in R76 and above from the CLI (command-line interface) on your Check Point firewall is to type cpstat blades.  The command is not super intuitive, but it does produce results.

[[email protected]:0]# cpstat blades |grep -A9 "Top Rule"
Top Rule Hits
|rule index|rule count|
|Rule 0    |      1393|
|Rule 1    |       761|

Rule Order Matters

Check Point firewalls process packets from the first to the last, from the top to the bottom.  SecureXL templates greatly enhance this matching process.  However, there are exceptions to the templates: Sometimes SecureXL isn’t even turned on (check out how to identify and remedy that here).  Also, most people do not have time to tweak their SecureXL templates.

To Log or Not To Log

Common wisdom says that the best practice is to log everything. We agree to a certain extent.
Firewall performance can be greatly reduced if your firewall cannot log fast enough. We have seen that the top 5 rules generally account for 80% of logging. The Pareto Principle says that you can make a huge jump in performance of your firewall and disk storage on your Check Point manager and/or SIEM, if you disable logging of these top rules.

One Command to Rule Them All

The possession of one command is fantastic. Knowledge really isn’t power as we were always told, but applied knowledge is definitely power. Let’s produce some results with our new command. What if we wanted to find out our top 5 used rules for all firewalls running R76 and above in our enterprise? Running one command across our enterprise would take a long time.  Producing a manual report for manual remediation is right up there with watching paint dry. Sounds like an arduous task that could leave verklempt. Check out how we can easily run the command for you and produce a report ready for action below.

Tags: , ,