topic Show hit count in CLI in General Topics

Show hit count in CLI

hrvoje_samec — Tue, 24 Nov 2015 13:26:52 GMT

I was searching this forum and official documentation, but I can't find the following:

Is there equivalent to Cisco ASA "show access-list acl_name" command in the PAN-OS CLI. I am looking for the command that will show hit count for every configured security rule. Also if the object groups are used either in source or destination address it would be great if this command would show exact IP address that have hit count. Some thing like this:

access-list outside_in line 1 extended permit tcp any host 192.168.1.1 eq www (hitcnt=2176) 0x9e62d266
access-list outside_in line 2 extended permit tcp object-group PUBLIC_IPs host 192.168.1.2 eq smtp 0xd1a0241c
access-list outside_in line 2 extended permit tcp 1.2.3.0 255.255.255.192 host 192.168.1.2 eq smtp (hitcnt=5421) 0x13f4d6dc
access-list outside_in line 2 extended permit tcp 2.3.4.0 255.255.255.224 host 192.168.1.2 eq smtp (hitcnt=0) 0x9366dd12
access-list outside_in line 3 extended permit tcp any host 192.168.1.3 eq https (hitcnt=8957) 0x83457acc

All that I have found is this command that can show unused rules:
show running rule-use rule-base security type unused vsys vsys1

Re: Show hit count in CLI

pulukas — Tue, 24 Nov 2015 23:29:00 GMT

You cannot find this because the feature does not exist. PAN does not at this time track hit count at all. The unused rule feature is not hit count but simply a flag that is triggered when a rule is first used after reboot. As long as the rule was used at least once the rule will be removed from the unused rule list.

I am pretty sure hit counters are an existing feature request in the PAN database. If you contact your sales engineer you can get your companies vote for the feature request recorded.

Re: Show hit count in CLI

gtomte — Wed, 25 Nov 2015 06:39:14 GMT

Hi there.

This is doable with custom reports, and has been for a long time. If you want to specify one specific source IP, you can do this with the query builder. See pictures. With 7.0 this is actually now visible in the ACC

Re: Show hit count in CLI

pulukas — Wed, 25 Nov 2015 13:14:06 GMT

This is a nice work around but this is not a hit counter and not a CLI option as requested.

This custom report is looking a logged sessions over the report time period and further reporting by your filter choices.

The desired function is a BY RULE hit counter. Traffic hits the rule a counter is incremented and this continues until the cournter is reset manually or the firewall rebooted.

We typically use this during active live troubleshooting sessions to reset the counter and confirm traffic generated is live hitting the expected rule. Or to reset the counters after we think no more traffic should hit a rule and turn at a later time and confirm there is no increment of the counter.

The function is not yet implemented in PAN.

Re: Show hit count in CLI

jvalentine — Wed, 25 Nov 2015 14:54:59 GMT

If you require a by-rule hit counter, please contact your Palo Alto Networks SE and vote for that feature request.

Aside from the custom report suggestion, I have one from the CLI as well. This doesn't necessarily "count" the rules, but it may be enough to confirm if traffic is hitting the expected rule or answer the question "when was the last time this rule was hit".

admin@pa0(active)> show log traffic direction equal backward rule equal 'deny any to dbl'

Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User End Reason
====================================================================================================
2015/11/25 07:31:24 not-applicable trust 58750 10.1.1.10
deny any to dbl deny untrust 80 46.21.151.38
policy-deny
2015/11/25 07:31:23 not-applicable trust 58749 10.1.1.10
deny any to dbl deny untrust 80 46.21.151.38
policy-deny
2015/11/25 07:31:21 not-applicable trust 58748 10.1.1.10
deny any to dbl deny untrust 80 46.21.151.38

Re: Show hit count in CLI

hrvoje_samec — Wed, 25 Nov 2015 16:18:18 GMT

thanks for answer. We will certainly send our vote for this feature

Re: Show hit count in CLI

seleftherakis — Mon, 30 Nov 2015 16:18:47 GMT

Hello,
you could also run this for live sessions on a per-policy basis:
>show session all filter rule Rule_Name count yes (state active)

Re: Show hit count in CLI

ChrisHuang — Tue, 03 Mar 2020 14:31:08 GMT

For PAN-OS version 9.x, the hit counter is available via CLI using ---

show rule-hit-count vsys vsys-name vsys1 rule-base security rules all | match " 0 "

Re: Show hit count in CLI

Retired Member — Tue, 03 Mar 2020 14:58:19 GMT

Gosh darnit Chris...What are you doing browsing 5 year old threads?

Re: Show hit count in CLI

MP18 — Mon, 05 Feb 2024 16:25:08 GMT

@ChrisHuang Yes this command works on PAN OS 10.1 and above also

show rule-hit-count vsys vsys-name vsys1 rule-base security rules all | match " 0 "
NetGear_Adobe 0 - - - Fri Jul 28 23:20:20 2023 Fri Sep 29 18:21:48 2023
NetGear_Goto_Meeting 0 - - - Fri Jul 28 23:20:20 2023 Fri Sep 29 18:21:48 2023
TPLink_Zoom 0 - - - Thu Dec 7 10:04:11 2023 Thu Dec 7 10:04:11 2023