Getting totals for triggering cOS Core IP rule set entries

Last modified on 16 Mar, 2023. Revision 10
Up to date for
cOS Core 14.00.09
InControl 3.15.00
Supported since
cOS Core 9.xx
InControl 3.15.00.
Status OK
Author
Peter Nilsson


Introduction

When administering a NetWall firewall over a period of time, there can often be a natural accumulation of entries in IP rule sets and it can become difficult to know which entries are actually being used. There are two methods for retrieving this information from the firewall. One method uses InControl and the other uses the cOS Core CLI. Both are described in detail below.

Method 1 - Using the “Rules Monitoring” option in the InControl client

The first method is to use an option in InControl (version 3.15.00 and later) which is called “Rules Monitoring”. The location of this option in the client interface is under the Monitoring sub-menu in the context menu displayed in the Firewalls tab for each firewall. This is shown in the screenshot below (the option can also be accessed using the toolbar ribbon at the top).

Selecting this option causes InControl to connect to the target firewall (or firewall node if a cluster) and extract data on how many times rule set entries have triggered since the last system start up The screenshot below shows an example of the output.

In the above output, the administrator can choose to sort on any of the columns. Probably the most interesting column to sort would be the Hits column where the least amount of hits is placed at the bottom.

There are several points worth mentioning regarding this output:

Method 2 - Using the “rules” CLI command

The second method is to use the cOS Core CLI with the command:

rules -verbose

By default, this will only list the entries for the <main> IP rule set. If more than one rule set exists, the following command can be used to get similar output for a specific named rule set.

rules -verbose -type=IP -ruleset=<my-rule-set-name>

There are several things worth mentioning regarding the output from the rules command:

Q & A

Is it safe to remove an IP rule set entry with zero hits?

This will be a decision for the administrator. The longer the uptime of the unit the better the data is, so if a rule has zero hits and the firewall has 100+ days of uptime, it seems fairly safe to conclude that this rule is no longer triggering or is perhaps configured in such a way that it is not functioning. If unsure, the first step would be to disable the rule, and if there are no user complaints or other issues for some time, delete it.

Tip: Before disabling an IP rule set entry, make a comment in the entry’s comment field of the date when it was disabled.

The IP rule set entry has zero hits when many were expected, what is wrong?

The most likely causes of such a problem would be:

A Stateless Policy that was created some time ago has an enormous amount of hits compared to other entries, is this a potential problem?

A stateless rule set entry (as the name implies) does not create an internal state in cOS Core (in other words, no connection is created in the state engine). This means that for stateless entries (including FwdFast IP rules) every packet in relevant traffic can trigger a matching rule set entry. So instead of one hit per connection attempt, it would be one hit per PACKET. This is not unexpected and the way stateless rule set entries should work. However, it is recommended to avoid using stateless rule set entries as much as possible since they demand greater firewall resources which could impact performance.



Related articles

Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Troubleshooting cOS Core rules/routes with ping simulation
17 Mar, 2023 core routing rules ping icmp cli