Run a rule counter analysis

Each rule contains a Hits cell that shows how many times each rule in your policy has matched network traffic. Viewing the rule hits allows you to find valid rules that match traffic that the engine does not encounter in the network.

This feature complements the rule validation checks, which can find rule design errors. Engines count rule hits automatically for all rules of supported types. The hits are stored as statistical counter data on the Log Servers.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Open the policy for preview or editing, then click the tab for the type of rules that you want to examine.
  3. Select an engine from the Target Engine drop-down list.
    If the drop-down list is not visible, select Tools > Target Engine Selector.
  4. Select Tools > Rule Counters.
  5. From the Period drop-down list, select the period for which you want to check the rule matches.
    • Select one of the existing options.
    • To define a custom period, select Custom.
  6. (Optional) Click Add to add other engines to the Target list.
    Tip: You can run a rule counter analysis on several engines at the same time.
  7. (Optional) To select Management or Log Servers for this operation, or to include archived data, click the Storage tab, then change the selection.
    Make sure that you include the Log Servers and folders that contain data for the target engine and the period you selected.
  8. Click OK to display the rule hits. The Hit information is displayed until you close the view.
    The Hit cell in each rule is filled in with the number of connections that matched the rule during the chosen period.

    If there is no statistical information about the rule with your selected criteria, the Hit cell shows N/A (for example, for rules added after the period analyzed).

Rule Counter Analysis dialog box

Use this dialog box to define the properties of a rule counter analysis that counts the number of rule hits in a policy.

Option Definition
General tab
Period Select the period for which you want to check the rule matches; either one of the pre-set relative periods or Custom if you want to define the period in detail.
Period Beginning

(Custom only)

Defines the start of the counter analysis period. The times are displayed according to the time zone selected in the Management Client’s status bar.
Period End

(Custom only)

Defines the end of the counter analysis period. The times are displayed according to the time zone selected in the Management Client’s status bar.
Current time

(Custom only)

Changes the end of the period to the current time. The times are displayed according to the time zone selected in the Management Client’s status bar.
Target Engines
Target Shows the engines that have been added to the list of target engines for the rule counter analysis.
Add Opens the Select Element dialog box.
Remove Removes the selected target engine from the list.
Storage tab

Select the Management Servers and Log Servers for this operation, or include archived data.

Make sure that you include the Log Servers and folders that contain data for the target engine and the period you selected.

Default The Management Servers and Log Servers are used as the data sources.
Primary archive Archived data is used as the data source.
Custom A combination of archived data and data provided by the Management and Log Servers is used as the data source.