topic Re: How to quickly find (and remove) unused objects in policy ? in Automation/API Discussions

How to quickly find (and remove) unused objects in policy ?

niuk — Fri, 07 Sep 2018 19:56:22 GMT

Is there a way to quickly find (and remove) unused objects in policy ? I mean like address or service objects

Re: How to quickly find (and remove) unused objects in policy ?

rhagen — Sat, 08 Sep 2018 18:29:02 GMT

The easiest way to do this is to utilize the Expedition tool to identify resources that are unused and delete them.

https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool

Expedition is a free tool made available by Palo Alto Network to assist with firewall migrations and optimization.

Re: How to quickly find (and remove) unused objects in policy ?

niuk — Mon, 10 Sep 2018 15:24:02 GMT

But with mirgation tool, I can't remove objects in place ? Or is it possible to import objects to Migration tool, and remove unused dirrectly from Migration tool ?

Re: How to quickly find (and remove) unused objects in policy ?

TomYoung — Wed, 12 Apr 2023 20:25:15 GMT

Expedition can make changes directly on the firewall. It has been a while since I have done it, but I believe you add the device under Devices and make the changes under your project > Export > API Output Manager. You should know the difference between Atomic and SubAtomic changes.

You could also use "show | match <object-name>" in configuration mode (set format) and see where it is used in the configuration. If the only line is the address object, it is not used.

You could also delete the object. If it is used, you will get an error right away. If not, the delete will be accepted in the candidate configuration. UPDATE: I saw this on Reddit, and it works. Select all the objects. (This may not be quick depending upon the number of objects.) Select Delete and Yes. All unused objects are deleted. All used objects produce an error and are kept. Use Device > Config Audit to see which objects were deleted.

Once Expedition is setup, that is the quickest and easiest.

Re: How to quickly find (and remove) unused objects in policy ?

mmccorkle5 — Wed, 21 Dec 2022 15:36:50 GMT

In case anyone is stumbling upon this thread in 2022... the suggested method above doesn't seem to work effectively or consistently. Running 9.1.x and our Panorama seems to stop checking after it reaches X errors or objects. I had to go back and select chunks of around 75 or less for it to effectively get rid of unused objects. This is rough when you have 4000+ objects...

Is Palo is ever going to give us a feature to simply remove unused objects in bulk without having to use Expedition?

Re: How to quickly find (and remove) unused objects in policy ?

JimmyHolland — Mon, 09 Jan 2023 15:02:15 GMT

There are a few options. You can talk to your Palo representatives about progressing feature request ID 3159 to have something in the GUI. Expedition is also an option. For automated solutions, you could use the API or one of the SDKs, in fact pan-os-php has some dedicated advice on this topic: https://github.com/PaloAltoNetworks/pan-os-php/wiki/unused-objects, but you could use Python or Go which also have SDKs. It just depends on your preferred approach. Hope that helps

Re: How to quickly find (and remove) unused objects in policy ?

TomYoung — Thu, 13 Feb 2025 18:00:01 GMT

Hi everyone!

SCM now has this feature. https://docs.paloaltonetworks.com/strata-cloud-manager/getting-started/security-posture/config-cleanup

I do not use SCM currently.

This is probably obvious to most, but I just realize this recently. You can use the Global Find drop down for any object. If it is only used once in the configuration for the object itself, then it is unused.

Thanks,

Tom