Importing Rule Usage from Check Point Devices

You can run reports or APG for a Check Point device that you do not have rule usage logs for in SecureTrack, by retrieving the logs from the management device and importing them into SecureTrack from the command line. After you retrieve the rule usage logs from the device, you can also edit the logs to focus on the logs that are important to your analysis.

To import rule usage logs from a Check Point device:

  1. Export the log file from the Check Point management device; run: fwm log export
  2. Use grep or awk commands to remove any log files that are not necessary and to change the logs to this format:

    Source-IP Destination-IP Port IP-Protocol Number Action Date Time;

  3. Import the edited log file into SecureTrack; run:
    # st_rule_usage_importer <DeviceID> <PolicyName> <ModuleName> < <InputFileName>

    Where:

    DeviceID – The SecureTrack ID of the Check Point management device; to find the device ID, open a command line connection to the SecureTrack server and run: st stat

    PolicyName – The name of the Check Point policy on the device

    ModuleName – The name of the module that is managed by the device with the specified DeviceID.

    InputFileName – The name of the edited rule usage log file

Sample Code

The following example demonstrates how to use sed and awk to create a file with the required format:

# cat sample.log

1 31-Oct-21 23:58:59 accept 10.245.43.13 10.230.10.215 udp 902

2 31-Oct-21 23:58:59 accept 192.168.11.30 192.168.205.172 tcp 80

3 31-Oct-21 23:58:59 accept 10.245.31.2 10.245.34.3 udp 53

# cat sample.log | sed 's/udp/17/g' | sed 's/tcp/6/g' | awk '{print $5 " " $6 " " $8 " " $7 " " $1 " " $4 " " $2 " " $3}' > transformed.log

# cat transformed.log

10.245.43.13 10.230.10.215 902 17 1 accept 31-Oct-21 23:58:59

192.168.11.30 192.168.205.172 80 6 2 accept 31-Oct-21 23:58:59

10.245.31.2 10.245.34.3 53 17 3 accept 31-Oct-21 23:58:59

#