Generating Rule Hit Count Reports for Security and Network Policies

Overview of Rule Hit Count Reports

Cato provides a Predefined Report template that shows how many times traffic matched policy rules during the report period. This helps you identify unused rules that can be removed, and optimize rule configuration to better match the required traffic scope. The hit count for a rule is based on the number of events generated by the rule. If a rule is set to not generate events, the hit count is zero.

You can generate hit count reports for these policies:

  • Internet Firewall
  • WAN Firewall
  • Network Rules

Create the template for a recurring or one-time report with the sites and SDP users that are included in the report over the defined time range. By default, the Predefined Report template for hit count reports shows traffic and data for all sites and SDP users for the past week.

For more about working with reports, see Cato Reports.

predefined_reports.png

Creating a Recurring Hit Count Report

Create a new recurring report by defining the Filters for the items included in the report, as well as the Schedule which defines how often the report is generated - daily, weekly, or monthly. Generated reports are stored in the Cato Cloud, and they can be automatically emailed or downloaded. The Schedule also defines the time range that is covered by each report.

You can select the Mailing List of email addresses for the recipients, which can include Cato Management Application admins and external users.

For more information about Mailing Lists, see Working with Mailing Lists.

To create a recurring hit count report:

  1. From the navigation pane, select Home > Reports.
  2. From the Catalog tab, select the template you want to use to generate the report.
  3. Click Generate > Create Schedule.
  4. Enter a Report Name.

  5. (Optional) In Filters, select specific sites or users for the Predefined Report.

    By default, the Predefined Report includes all sites and users.

    To include multiple sites or users in the report, use the IN operator.

  6. Define when the report will be generated and sent:
    1. Select the Frequency that the report is automatically sent: Daily, Weekly, or Monthly.
    2. For Weekly and Monthly Scheduled reports, in Every select the day that the report is sent.

  7. In Send to Mailing List, select the Mailing List that receives the report.

    You can click New to create a new mailing list.

  8. Click Save Schedule. The report is added to the Saved Reports tab.

Generating a Recurring Report On Demand

Recurring reports are automatically generated based on their schedule settings. For example, a weekly report configured for Monday, is generated every Monday. You can also choose to manually generate a recurring report on demand, in which case the generated report uses the defined time range based on the current day. If an admin manually generates a weekly report on a Tuesday, the time range for the report is the previous 7 days starting from that Tuesday, regardless of the starting day of the recurring report. For more information about the time range of recurring reports, see Cato Reports.

To generate a recurring report on demand:

  1. From the navigation pane, select Home > Reports.
  2. From the Saved Reports tab, find the recurring report and click Generate Now.
  3. From the Generated PDFs tab, find the report and click Download.

Creating a One-Time Hit Count Report

You can create a one-time report based on the Hit Count template. You define the Filters for the items included in the report.

To create a One-Time report:

  1. From the navigation pane, select Home > Reports.
  2. From the Catalog tab, select the template you want to use to generate the report.
  3. Select Generate > Generate Now.
  4. Enter a Report Name.
  5. In Filters, define the Timeframe and Timezone of the report.
  6. Click Generate, the report is generated and you download it from the Generated PDFs tab.

Understanding the Hit Count Reports

The hit count for a rule is based on the number of events generated by the rule. If a rule is set to not generate events, the hit count is zero.

These are the sections in a hit count report:

  • Top/Least Rules

    • Top Matched Rules - List of the 20 most matched policy rules with the hit count for each rule
    • Least Matched Rules - List of the 20 least matched policy rules with the hit count for each rule
  • Rules Hit Count - Shows the list of all rules in order of priority with the number of events generated for each rule, the rule name, and the timestamp for the most recent generated event

Was this article helpful?

0 out of 0 found this helpful

3 comments

Date Votes
  • Comment author
    Yamin Azim

    How to reset the hit-count counters?

  • Comment author
    Richard Amery

    Ditto, as the counters should have a setting that we could configure say last 30 days etc.

  • Comment author
    Yaakov Simon

    Yamin Azim and Richard Amery  Thanks for the comment! I checked with the relevant PM and resetting the hit-counters is a planned enhancement for this feature. You can also submit an RFE