Check Point FireWall-1 rule check script
I wrote the following script to count the number of times each rule is
matched in our CheckPoint FireWall-1 security policy. The script is run
once per week before the Check Point FireWall-1 logs are rotated.
You can optimize the rulebase by moving the most frequently accessed
rules
to the top of the security policy; the script can also help identify
rules
that are no longer used.
#!/bin/sh
# Variables
# TMP_OUTPUT is the file to
store temporary output
# RECIPIENTS is a list of email
recipients
TMP_OUTPUT=/tmp/fw_rule_check.tmp
RECIPIENTS=user@example.com
# Remove the temporary output
file if it exists
[ -f $TMP_OUTPUT ] && rm
$TMP_OUTPUT
/usr/bin/echo "Starting time:
`date`\n" >> $TMP_OUTPUT
/usr/bin/echo "Rule\tCount"
>> $TMP_OUTPUT
/usr/bin/echo "----\t-----"
>> $TMP_OUTPUT
# For every line returned by "fw
log," count the rule.
# The "rule (number)" is not in
the same place on every line, so Perl
# is used to extract the rule.
/opt/CKPfw/bin/fw log |
/usr/bin/perl -ne 'print "$1\n" if /rule\s(\d+)/' | \
/usr/bin/sort
-n | /usr/bin/uniq -c | /usr/bin/awk '{print $2 "\t" $1}' >>
$TMP_OUTPUT
/usr/bin/echo "\nEnding time:
`date`" >> $TMP_OUTPUT
/usr/bin/mailx -s "Firewall rule
check" $RECIPIENTS < $TMP_OUTPUT
rm $TMP_OUTPUT
Example output:
Starting time: Sat Dec 7
22:00:00 CST 2002
Rule Count
---- -----
0 147262
2 1
4 886295
6 19650
7 13993
8 13160
11
142
12
3741
14
5114
20
8
28
33
40
1878
41
505
52
162
53
3
54
3
56
40
57
88
58
28502
59
258141
60
106993
Ending time: Sun Dec 8
02:02:24 CST 2002
Back to brandonhutchinson.com.
Last modified: 09/29/2004