Policy Insights

Policy Insights helps administrators analyze and optimize the policy Rule Base All rules configured in a given Security Policy. Synonym: Rulebase., by offering detailed insights and visualizations. The Check Point Cloud Services analyze traffic and policies and provide suggestions to changing the Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base based on this information. The suggestions are generated according to internal scheduling. A cleaner and more efficient Rule Base makes it easier to manage the security policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., and helps reduce vulnerabilities.

Prerequisites

• R81.20 Jumbo Hotfix Accumulator Take 99 or higher

• R81.20 SmartConsole Releases Build 663 or higher

Supported Objects

Policy Insights supports these objects:

• In the Source and Destination columns:

  • Hosts

  • Networks

  • Groups

• Services and Service Groups:

  • icmp

  • icmp6

  • rpc

  • tcp

  • udp

  • dce-rpc

The Extracted Data

Only traffic-related information is extracted from the Check Point logs.

The traffic logs are processed on the log server, and a highly compressed subset of the traffic data is sent to Azure.

These fields are used for data extraction:

Field	Description	Example
service	connection (service destination port	443
calc_service	calculate service name	https
proto	protocol number	6
src	source IP	192.168.1.112
dst	Destination IP	23.227.38.74
action	Rule match action	Accept
orig	Gateway Origin	cp_mgmt
time	Log time (by day)	2025-06-18T00:00:00:000
rule_name	Name of the Access Control rule (match table)	clean up
rule_action (by layer)	Rule action by layer (match table)	("Accept")
rule_uid	Rule ID in the Access Control policy to which the connection was matched (match table)	["0E3B6901-8AB0-4b1e-A317-8BE33055FB44"]
layer_match_table	Layer ID (table)	["024b3a8f-b24e-4df8-b3ee-17009886dad5"]
count	Connection number	301

Prerequisites

Connect your Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to the Infinity Portal. See To connect from your Security Management Server and Security Gateway objects from SmartConsole to the Infinity Portal for instructions.

Note - There is no need to enable Log Sharing or Configuration Sharing.

Working with Policy Insights

To access the Policy Insights window

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Security Policies view > Access Control > Policy.

2. Above the Rule Base, click the Insights button.

   The Policy Insights window opens.

Components of the Policy Insights Window

The Policy Insights window is comprised of 3 sections:

• The Suggestions section

  This section provides you with actionable recommendations to optimize your Security Policy Rule Base. The Suggestions section is divided into categories, such as: Remove unmatched objects, Replace existing objects and so on. Hover over each.

  You can filter the suggestions based on these categories:

  • Show only top suggestions - Suggestions with the highest security impact.

  • Show suggestions (default) - Valuable suggestions.

  • Include low confidence suggestions - Suggestions for new rules, rules that changed recently, or other cases when data is limited.

  For each suggestion, you can select one of these options:

  • Apply - Make the suggested change in the Rule Base.

  • Decline - Reject the change. The suggestion is moved to the Declined suggestions section.

  • Decide later - Move the suggestion to the Decide later section. The suggestion remains available for use in the future.

  After you select an option, publish your changes and install policy.

• The Decide later section

  This section includes suggestions which were originally in the suggestions section and which you moved to the Suggestions section.

  To use a suggestion from the Decide later section

  1. Select the required suggestion and click the Move back button.

  2. In the Suggestions section, select the required suggestion and click Apply.

  3. Publish your changes and Install Policy.

• The Declined suggestions section

  This section includes suggestions which were originally in the suggestions section and which you moved to the Suggestions section.

  To use a suggestion from the Declined suggestions section

  1. Select the required suggestion and click the Undo decline button.

  2. In the Suggestions section, select the required suggestion and click Apply.

  3. Publish your changes and Install Policy.

In each category in the Policy Insights window, you can see the latest date on which the presented information is based.

The number in each category represents the number of suggestions for this category.

Next to each suggestion, one of these options appears:

• : Recommended - Suggestions with high security impact and high confidence.

• No icon - Suggestions with security impact but no conclusive confidence due to limited data.

• : Low Confidence - Not enough logs and time to have conclusive confidence. For example, new rules, rules that changed recently, or other cases when data is limited.

You can export the information in the Policy Insights window as a CSV file. To do so, click the Export to CSV button, at the bottom left corner of the Policy Insights window.

To see suggestions for a specific rule

1. In the Access Control policy, select the required rule.

2. In the bottom pane, click the Insights tab.

3. Click the Open button to open the Policy Insights window.

4. In the Policy Insights window, select the required action.

5. Publish your changes and Install Policy.