Analyzing the Rule Base Hit Count

The Hit Count feature shows the number of connections that match each ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. Hit Count is supported in the Access Control, NAT and HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. Rule Bases.

The Hit Count data lets you:

  • Identify and remove unused rules (rules with zero hits).

    Note - A rule with a zero hits means there are no matching connections on Security Gateways with Hit Count enabled. There can still be matching connections on Security Gateways with Hit Count disabled.

  • Analyze and better understand policy behavior.

Hit Count operates independently of logging and tracks hits even if the Track option is set to None.

Note - Hit Count is supported for the Access Control, NAT, and HTTPS Inspection policies. For HTTPS Inspection, Hit Count is supported from R82.10 Security Gateways and above.

Enabling or Disabling Hit Count

Hit Count is enabled by default for all supported Security Gateways. The data collection time frame is also configured globally. You can disable Hit Count for specific Security Gateways if needed.

After you enable or disable Hit Count, install the policy on the applicable Security Gateways for the changes to take effect.

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to Menu > Global properties.

  2. From the navigation tree, select Hit Count.

  3. Configure these options:

  4. Click OK.

  5. Install Policy.

To enable or disable Hit Count on a Security Gateway:

  1. On the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object, from the left navigation tree, select Hit Count.

  2. Select or clear Enable Hit Count to enable or disable it.

  3. Click OK.

  4. Install Policy.

Hit Count Display

To show the Hit Count in the Rule Base:

Right-click the heading row of the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. and select Hits.

  1. Right-click the rule number.

  2. From the menu, select Hit Count > Display.

    These are the options you can configure for how matched connection data is shown in the Hits column:

    • Value - Shows the number of hits for the rule on the supported Security Gateways. Connection hits are not accumulated in the total Hit Count for:

      • Security Gateways that are not supported

      • Security Gateways with Hit Count disabled

      The values are shown with these letter abbreviations:

      • K = 1,000

      • M = 1,000,000

      • G = 1,000,000,000

      • T = 1,000,000,000,000

      For example, 259K represents 259 thousand connections, and 2M represents 2 million connections.

    • Percentage - Displays the rule’s matched connections as a percentage of the total matched connections. The percentage is rounded to a tenth of a percent.

    • Level - Categorizes rules based on hit volume.

      The Hit Count range = Maximum hit value - Minimum hit value (excluding zero hits)

      Hit Count Level

      Icon

      Range

      Zero

      0 hits

      Low

      Less than 10 percent of the Hit Count range

      Medium

      Between 10 - 70 percent of the Hit Count range

      High

      Between 70 - 90 percent of the Hit Count range

      Very High

      Above 90 percent of the Hit Count range

  1. Right-click the rule number.

  2. From the menu, select Hit Count > Timeframe.

  3. From the menu that opens, select one of these options: All, 1 day, 7 days, 1 month, or 3 months

  1. Right-click the rule number.

  2. Select Hit Count > Refresh.