https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4011#M2963 <HTML><HEAD></HEAD><BODY><P>Hello,You should wait for some time after migration to allow firewall analyze ununsed rules.</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>The show unused rules are tied to the Monitor Logs</STRONG></SPAN>, so if you are not having good history of logs, then all the rules will be marked as unused rules.</P><P>I believe that is why you see inconsistent results.</P><P></P><P>FYI only</P><P>Below is command to pull a list</P><P>&gt;show running rule-use rule-base security type un<SPAN style="font-size: 10pt; line-height: 1.5em;">used vsys vsys1</SPAN></P><P></P><P>Hope this helps!</P><P></P><P><EM>Please mark it as correct answer or helpful if appropriate.</EM></P></BODY></HTML> Mon, 07 Oct 2013 22:33:39 GMT ukhapre 2013-10-07T22:33:39Z https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4010#M2962 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>We have recently migrated from Juniper to Palo Alto firewall and there are numerous firewall rules that are obsolete and potentially a security risk to me. I tried to use "highlight unused rules" button but it does not seem consistent to me. Are the highlighted rules unused since the firewalls start running or simply not currently used at the moment now? (There is a big difference between the two).</P><P></P><P>Thanks a lot!!</P></BODY></HTML> Mon, 07 Oct 2013 21:34:04 GMT https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4010#M2962 peterpan13888 2013-10-07T21:34:04Z https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4011#M2963 <HTML><HEAD></HEAD><BODY><P>Hello,You should wait for some time after migration to allow firewall analyze ununsed rules.</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>The show unused rules are tied to the Monitor Logs</STRONG></SPAN>, so if you are not having good history of logs, then all the rules will be marked as unused rules.</P><P>I believe that is why you see inconsistent results.</P><P></P><P>FYI only</P><P>Below is command to pull a list</P><P>&gt;show running rule-use rule-base security type un<SPAN style="font-size: 10pt; line-height: 1.5em;">used vsys vsys1</SPAN></P><P></P><P>Hope this helps!</P><P></P><P><EM>Please mark it as correct answer or helpful if appropriate.</EM></P></BODY></HTML> Mon, 07 Oct 2013 22:33:39 GMT https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4011#M2963 ukhapre 2013-10-07T22:33:39Z https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4012#M2964 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> "highlight unused rules" shows the rules that are not used by the device since the start of the dataplane. </SPAN></P></BODY></HTML> Tue, 08 Oct 2013 21:35:33 GMT https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4012#M2964 zarina 2013-10-08T21:35:33Z https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4013#M2965 <HTML><HEAD></HEAD><BODY><P>Thanks the replies. It is crystal clear to me know.</P></BODY></HTML> Thu, 10 Oct 2013 14:21:44 GMT https://live.paloaltonetworks.com/t5/general-topics/cleaning-obsolete-firewall-rules/m-p/4013#M2965 peterpan13888 2013-10-10T14:21:44Z