Monday, 14 May 2012

CP hitcount - A Python rule-hit counter for Check Point

This is something I was working on a while ago. I needed a way to chew through a large amount of Check Point logs and find out which rules were being hit in the rulebase according to the UUID of the rule and the UUID in the log entry. This has now been implemented to some degree in R75.40 with the hit counter in the dashboard but this might still be useful for anyone that wants to make some pretty graphs out of it.
It requires you to export your logs into text format, either with Smartview Tracker (which seems to take forever) or with 'fwm logexport' (there's a script included if you want to modify it). All code is provided as is, drop me a comment if you find any use for it!

I don't have any formal instructions but the comments should be enough to get you though. It's all Python 2.6 but should work in 2.7. Not tested in 3.x. When you've got the code downloaded, run analyse.py and point the script to your rulebases_5.0.fws and text log file. It will churn through the log file and should spit out an HTML file showing which logs are hit, how many times and which are never hit. It's not perfect, but it's a good starting point for clearing out a rulebase.


Analyse.py : Run this and follow prompts

fwlog2txt.sh : This will dump logs in a particular range to a big text file to use with the tool. To be run on your gateway / Smartcenter

logFunc.py : The modules and routines called by analyse.py

style.css : Not essential, but makes the html output a little prettier

Sample output from the CP hitcount tool

No comments:

Post a Comment