Policy Insights

Policy Insights analyzes your Access Control policies and network traffic to identify opportunities for optimization. It examines traffic patterns and policy configurations, makes rules more restrictive, and eliminates unnecessary access, to improve security posture.

Policy Insights are calculated in Check Point's Infinity Cloud using uploaded policy and telemetry data. The calculation process:

• Runs every two weeks

• Analyzes traffic patterns against policy configurations

• Generates actionable recommendations

Known Limitations

Policy Insights only analyzes rules that meet these criteria:

• The Action is Accept, Ask, or Inform.

• The Track column cannot be set to None.

• To create insights in the Source and Destination columns, objects in these columns must be of type Any, Host, Network, Group and Security Gateways / Security Clusters (using IPv4).

• Insights that modify the Services & Applications column require that this column contains only these types of objects: tcp/udp services, icmp, rpc and dce-rpc.

• In Multi-Domain Security Management, only Domain rules are analyzed.

Prerequisites

• R81.20 Jumbo Hotfix Accumulator Take 99 or higher

• R81.20 SmartConsole Releases Build 663 or higher

• Auto-update package (afw_AutoUpdate) version 71 or higher. The auto-update package is usually installed automatically when version and Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. requirements are met. For manual installation instructions, see sk183421.

Supported Objects

Policy Insights supports these objects:

• In the Source and Destination columns:

  • Hosts

  • Networks

  • Groups

• In the Services and Service Groups:

  • icmp

  • icmp6

  • rpc

  • tcp

  • udp

  • dce-rpc

 

The Extracted Data

Extracted Data Objects

Policy Insights upload these database objects to the cloud to support the generation of improved policy suggestions:

• Network Objects

• Services

• Time objects

• VPN Communities

• Security Zones

• Global properties

• Data center objects

• Policy packages, Layers and rules.

• Domain names

Extracted Log Fields

Policy Insights uses log telemetry to determine traffic patterns without the need to send complete logs to the cloud. Only traffic-related information is extracted from the Check Point logs.

When Policy Insights is active, the Log Telemetry service scans all logs and processes only the relevant logs and fields that are required for the Policy Insights calculation.

The data from these logs is processed on the Log Server Dedicated Check Point server that runs Check Point software to store and process logs. and not the Infinity Portal.

Collected data fields:

Field	Description	Example
service	Connection (service destination port)	443
calc_service	Calculate service name	https
proto	Protocol number	6
src	Source IP address	192.168.1.112
dst	Destination IP address	23.227.38.74
action	Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. match action	Accept
orig	Gateway Origin	cp_mgmt
time	Log time (by day)	2025-06-18T00:00:00:000
rule_name	Name of the Access Control rule (match table)	Clean up
rule_action (by layer)	Rule action by layer (match table)	("Accept")
rule_uid	Rule ID in the Access Control policy to which the connection was matched (match table)	["0E3B6901-8AB0-4b1e-A317-8BE33055FB44"]
layer_match_table	Layer ID (table)	["024b3a8f-b24e-4df8-b3ee-17009886dad5"]
count	Connection number	301

Note - For more information regarding compliance and privacy, visit Trust-Point.

Enabling Policy Insights

1. Connect your Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to the Infinity Portal.

   See To connect from your Security Management Server and Security Gateway objects from SmartConsole to the Infinity Portal for instructions.

2. Note - Policy Insights does not rely on the Log Sharing and Configuration Sharing settings. Instead, it uploads log telemetry data and policy packages, rules, and objects to the Infinity Portal for analysis.

3. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Infinity Services view> locate the Policy Insights card:

   1. Toggle the switch to On.

   2. Accept the Terms and Conditions.

   The card status changes from Inactive to Initializing. An Insights button appears in the top-left corner of the Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

Notes: During initialization, the system: Uploads policy package information, rules, and network objects to the cloud. Sends telemetry data from Log Servers (including log telemetry). Prepares the cloud environment for analysis. After the activation process, the log analysis may take several hours (up to 48 hours in large environments), so suggestions do not appear immediately. After activation on a new system with no log history, it takes 90 days before high confidence insights become available. To see preliminary insights sooner, in the Policy Insights window, select Show additional low confidence suggestions.

Policy Insights Window

The Policy Insights window includes 3 sections:

• The Suggestions section

  This section provides you with actionable recommendations to optimize your Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. Rule Base. In the Suggestions section, you can:

  • Remove unmatched objects - Unmatched objects are objects in rules that never received matching traffic based on log analysis.

  • Replace existing objects - This feature identifies overly broad objects that can be replaced with more specific alternatives (for example: A network object with only one IP address that receives traffic). Replacing an object with a more specific one reduces attack surface while maintaining legitimate access.

  Filtering Suggestions

  You can filter the suggestions based on these categories:

  • Recommended (the default options) - Suggestions with the highest security impact. The insight’s security impact is calculated according to the proposed change in the rule. This enables Policy Insights to focus on more significant insights and hide those with low impact.

    High-impact insights with a high confidence level are marked in SmartConsole with a Star icon.

    For example: Removing one open port from the rule would result in a low security impact, while replacing “Any” in the source column with a single host IP address shows a high security impact score.

  • All - Valuable suggestions.

  Show additional low confidence suggestions - When you select this checkbox, it shows suggestions with low confidence, in addition to the Recommended and All suggestions. Low confidence suggestions are for new rules, rules that changed recently, or other cases when data is limited. These suggestions are not displayed by default.

  Managing Suggestions

  For each suggestion, you can select one of these options:

  • Apply - Make the suggested change in the Rule Base.

  • Decline - Reject the change. The suggestion is moved to the Declined suggestions section.

  • Decide later - Move the suggestion to the Decide later section. The suggestion remains available for use in the future.

  After you select an option, publish your changes and install policy.

• The Decide later section

  This section includes suggestions which were originally in the suggestions section and which you moved to the Suggestions section.

  To use a suggestion from the Decide later section

  1. Select the required suggestion and click the Move back button.

  2. In the Suggestions section, select the required suggestion and click Apply.

  3. Publish your changes and Install Policy.

• The Declined suggestions section

  This section includes suggestions which were originally in the suggestions section and which you moved to the Suggestions section.

  To use a suggestion from the Declined suggestions section

  1. Select the required suggestion and click the Undo decline button.

  2. In the Suggestions section, select the required suggestion and click Apply.

  3. Publish your changes and Install Policy.

In each category in the Policy Insights window, you can see the latest date on which the presented information is based.

The number in each category represents the number of suggestions for this category.

Next to each suggestion, one of these options appears:

• : Recommended - Suggestions with high security impact and high confidence.

• No icon - Suggestions with security impact but no conclusive confidence due to limited data.

• : Low Confidence - Not enough logs and time to have conclusive confidence. For example, new rules, rules that changed recently, or other cases when data is limited.

To export the information in the Policy Insights window as a CSV file, click the Export to CSV button, at the bottom left corner of the Policy Insights window.

To see suggestions for a specific rule

1. In the Access Control policy, select the required rule.

2. In the bottom pane, click the Insights tab.

3. Click the Open button to open the Policy Insights window.

4. In the Policy Insights window, select the required action.

5. Publish your changes and Install Policy.