Check Point FireWall-1 rule check script

I wrote the following script to count the number of times each rule is matched in our CheckPoint FireWall-1 security policy. The script is run once per week before the Check Point FireWall-1 logs are rotated.

You can optimize the rulebase by moving the most frequently accessed rules to the top of the security policy; the script can also help identify rules that are no longer used.

#!/bin/sh

# Variables
# TMP_OUTPUT is the file to store temporary output
# RECIPIENTS is a list of email recipients

TMP_OUTPUT=/tmp/fw_rule_check.tmp
RECIPIENTS=user@example.com

# Remove the temporary output file if it exists
[ -f $TMP_OUTPUT ] && rm $TMP_OUTPUT

/usr/bin/echo "Starting time: `date`\n" >> $TMP_OUTPUT
/usr/bin/echo "Rule\tCount" >> $TMP_OUTPUT
/usr/bin/echo "----\t-----" >> $TMP_OUTPUT

# For every line returned by "fw log," count the rule.
# The "rule (number)" is not in the same place on every line, so Perl
# is used to extract the rule.
/opt/CKPfw/bin/fw log | /usr/bin/perl -ne 'print "$1\n" if /rule\s(\d+)/' | \
   /usr/bin/sort
-n | /usr/bin/uniq -c | /usr/bin/awk '{print $2 "\t" $1}' >> $TMP_OUTPUT

/usr/bin/echo "\nEnding time: `date`" >> $TMP_OUTPUT

/usr/bin/mailx -s "Firewall rule check" $RECIPIENTS < $TMP_OUTPUT

rm $TMP_OUTPUT

Example output:

Starting time: Sat Dec  7 22:00:00 CST 2002

Rule    Count
----    -----
0       147262
2       1
4       886295
6       19650
7       13993
8       13160
11      142
12      3741
14      5114
20      8
28      33
40      1878
41      505
52      162
53      3
54      3
56      40
57      88
58      28502
59      258141
60      106993

Ending time: Sun Dec  8 02:02:24 CST 2002

Back to brandonhutchinson.com.
Last modified: 09/29/2004