Importing Rule Usage from Check Point Devices

Overview

You can run reports or APG for a Check Point device that you do not have rule usage logs for in SecureTrack, by retrieving the logs from the management device and importing them into SecureTrack from the command line. After you retrieve the rule usage logs from the device, you can also edit the logs to focus on the logs that are important to your analysis.

Import Rule Usage Logs

  1. Run the following command to export the log file from the Check Point management device: fwm log export
  2. Use grep or awk commands to remove any log files that are not necessary and to change the logs to this format:

    Source-IP Destination-IP Port IP-Protocol Number Action Date Time;

  3. Get into the device-collector pod.

    # kubectl exec -it deployment/device-collector -c device-collector -- bash
  4. Import the edited log file into SecureTrack:
    # st_rule_usage_importer <DeviceID> <PolicyName> <ModuleName> < <InputFileName>

    where

    • DeviceID: SecureTrack ID of the Check Point management device. To find the device ID, in SecureTrack:

      1. Navigate to Monitoring > Manage Devices.

      2. Click a device in the device tree.
      3. Type the letter "t".

        The ID for every device appears.

    • PolicyName: Name of the Check Point policy on the device.

    • ModuleName: Name of the module that is managed by the device with the specified DeviceID.

    • InputFileName: Name of the edited rule usage log file.

Sample Code

The following example demonstrates how to use sed and awk to create a file with the required format:

# cat sample.log

1 31-Oct-21 23:58:59 accept 10.245.43.13 10.230.10.215 udp 902

2 31-Oct-21 23:58:59 accept 192.168.11.30 192.168.205.172 tcp 80

3 31-Oct-21 23:58:59 accept 10.245.31.2 10.245.34.3 udp 53

# cat sample.log | sed 's/udp/17/g' | sed 's/tcp/6/g' | awk '{print $5 " " $6 " " $8 " " $7 " " $1 " " $4 " " $2 " " $3}' > transformed.log

# cat transformed.log

10.245.43.13 10.230.10.215 902 17 1 accept 31-Oct-21 23:58:59

192.168.11.30 192.168.205.172 80 6 2 accept 31-Oct-21 23:58:59

10.245.31.2 10.245.34.3 53 17 3 accept 31-Oct-21 23:58:59