https://live.paloaltonetworks.com/t5/panorama-discussions/filtering-panorama-policies-by-modified-date/m-p/561591#M1928 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217087">@Mike_VanHaaften</a>&nbsp;</P> <P>You may check if a rule is disabled using below API call:</P> <P>&nbsp;</P> <LI-CODE lang="markup">https://{{host}}/api/?key={{key}}&amp;type=config&amp;action=show&amp;xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='{{rulename}}']</LI-CODE> <P>&nbsp;</P> <P>The response will have the 'disabled' element set if the rule is disabled.</P> <P>Here is a sample output:</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;action&gt;allow&lt;/action&gt; &lt;disabled&gt;yes&lt;/disabled&gt; &lt;/entry&gt; &lt;/result&gt; &lt;/response&gt;</LI-CODE> <P>&nbsp;</P> <P>I am not sure if you will be able to get the rule 'modified' details, this information is obtained from the config audit logs.</P> <P>&nbsp;</P> Fri, 13 Oct 2023 07:53:22 GMT akuzhuppilly 2023-10-13T07:53:22Z https://live.paloaltonetworks.com/t5/panorama-discussions/filtering-panorama-policies-by-modified-date/m-p/560858#M1906 <P>I'm trying to do some auditing of firewall policies.&nbsp; The organization that I'm working with is wanting an automated way to identify rules that have been disabled for 6 months so they can go in and delete them.&nbsp; The thought I had was to look at the modified date and disabled status to identify the rules - I have seen suggestions about adding this data into the description or a tag, but I'm wanting to make this as light of a lift on the org as possible.&nbsp;</P> <P>&nbsp;</P> <P>I can make such a filter in the policy optimizer -&nbsp;(rule-modification-timestamp leq '2023-04-06 10:12:32') and (disabled eq 'yes') - , but that rule will not function in the - Security Post rules - section.</P> <P>&nbsp;</P> <P>I do not see the ability to look at that data with a custom report - because it is only intended to parse through logs not configs.&nbsp; I have parsed through the Security Post rules section in the api for other auditing and I don't see the Modified date in the XML output.&nbsp; Nor do I see the ability to hit the policy optimizer via the API.&nbsp; Since I want to automatically notify them on a schedule to these issues the API has been where I have historically gone to conduct audits.</P> <P>&nbsp;</P> <P>Hoping someone can point me in the right direction to either run a query in the policy optimizer from the api or point me to where I can find the modified date in the api.</P> Fri, 06 Oct 2023 17:55:11 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/filtering-panorama-policies-by-modified-date/m-p/560858#M1906 Mike_VanHaaften 2023-10-06T17:55:11Z https://live.paloaltonetworks.com/t5/panorama-discussions/filtering-panorama-policies-by-modified-date/m-p/561591#M1928 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/217087">@Mike_VanHaaften</a>&nbsp;</P> <P>You may check if a rule is disabled using below API call:</P> <P>&nbsp;</P> <LI-CODE lang="markup">https://{{host}}/api/?key={{key}}&amp;type=config&amp;action=show&amp;xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='{{rulename}}']</LI-CODE> <P>&nbsp;</P> <P>The response will have the 'disabled' element set if the rule is disabled.</P> <P>Here is a sample output:</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;action&gt;allow&lt;/action&gt; &lt;disabled&gt;yes&lt;/disabled&gt; &lt;/entry&gt; &lt;/result&gt; &lt;/response&gt;</LI-CODE> <P>&nbsp;</P> <P>I am not sure if you will be able to get the rule 'modified' details, this information is obtained from the config audit logs.</P> <P>&nbsp;</P> Fri, 13 Oct 2023 07:53:22 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/filtering-panorama-policies-by-modified-date/m-p/561591#M1928 akuzhuppilly 2023-10-13T07:53:22Z