Analyzing the Rule Base Hit Count

Use the Hit Count feature to show the number of connections that each ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. matches.

Use the Hit Count data to:

  • Analyze a Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. - You can delete rules that have no matching connection

    Note - If you see a rule with a zero Hit Count it only means that in the Security Gateways enabled with Hit Count there were no matching connections. There can be matching connections on other Security Gateways.

  • Better understand the behavior of the Access Control Policy

The Hit Count value appears as:

  • The percentage of the rule hits from total hits

  • The indicator level (very high, high, medium, low, or zero)

The percentage and indicator level are configured in the Access Control Policy Rule Base.

When you enable Hit Count, the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. collects the data from supported Security Gateways (version R75.40 and higher).

Hit Count works independently from logging and tracks the hits even if the Track option is None.

Note - From R81, Hit Count is also supported in the NAT Rule Base (requires Security Gateways R81 and higher).

Enabling or Disabling Hit Count

By default, Hit Count is globally enabled for all supported Security Gateways. The timeframe setting that defines the data collection time range is configured globally. If necessary, you can disable Hit Count for one or more Security Gateways.

After you enable or disable Hit Count you must install the Policy for the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to start or stop collecting data.

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Menu > Global properties.

  2. Select Hit Count from the tree.

  3. Select the options:

  4. Click OK.

  5. Install the Policy.

To enable or disable Hit Count on each Security Gateway:

  1. From the Gateway Properties for the Security Gateway, select Hit Count from the navigation tree.

  2. Select Enable Hit Count to enable the feature or clear it to disable Hit Count.

  3. Click OK.

  4. Install the Policy.

Hit Count Display

These are the options you can configure for how matched connection data is shown in the Hits column:

  • Value - Shows the number of matched hits for the rule from supported Security Gateways. Connection hits are not accumulated in the total Hit Count for:

    • Security Gateways that are not supported

    • Security Gateways that have disabled the Hit Count feature

    The values are shown with these letter abbreviations:

    • K = 1,000

    • M = 1,000,000

    • G = 1,000,000,000

    • T = 1,000,000,000,000

    For example, 259K represents 259 thousand connections, and 2M represents 2 million connections.

  • Percentage - Shows the percentage of the number of matched hits for the rule from the total number of matched connections. The percentage is rounded to a tenth of a percent.

  • Level - The Hit Count level is a label for the range of hits according to the table.

    The Hit Count range = Maximum hit value - Minimum hit value (does not include zero hits)

    Hit Count Level

    Icon

    Range

    Zero

    0 hits

    Low

    Less than 10 percent of the Hit Count range

    Medium

    Between 10 - 70 percent of the Hit Count range

    High

    Between 70 - 90 percent of the Hit Count range

    Very High

    Above 90 percent of the Hit Count range

To show the Hit Count in the Rule Base:

Right-click the heading row of the Rule Base and select Hits.

  1. Right-click the rule number of the rule.

  2. Select Hit Count and one of these options (you can repeat this action to configure more options):

    • Timeframe - Select All, 1 day, 7 days, 1 month, or 3 months

    • Display - Select Percentage, Value, or Level

  1. Right-click the rule number of the rule.

  2. Select Hit Count > Refresh.