topic Re: Unused rules in General Topics

Unused rules

jdprovine — Tue, 12 Apr 2016 12:49:23 GMT

Is it possible for a rule to show unused and be passing traffic? I disabled an unused rule and it seemed to affect traffic. I usually check it and it now show in the traffice monitor and it highlighted as unused. I also rebooted the firewall about a month ago.

Re: Unused rules

Raido_Rattameister — Tue, 12 Apr 2016 12:56:17 GMT

No unused rules are rules that have not matched since reboot of the firewall.

To be more specific from reboot of the dataplane.

If something is blocked then you see in traffic log what rule it matched against to figure out what rule blocked traffic.

Re: Unused rules

jdprovine — Tue, 12 Apr 2016 14:48:37 GMT

I don't see anything in the traffic monitor for the rule I disabled, I was wondering if there is anywhere else to double check

Re: Unused rules

jdprovine — Tue, 12 Apr 2016 16:49:18 GMT

I have also found some rules that show used but I cannot find them in the traffic monitor at all. Anyone know of anywhere else to confirm whether rule is being used or not

Re: Unused rules

jdprovine — Tue, 12 Apr 2016 19:31:39 GMT

How can a ruled show used and not be in the traffic monitor?

Re: Unused rules

jdelio — Tue, 12 Apr 2016 20:03:08 GMT

Question:

You can have used rules that do not log, and will never show up in the Traffic Monitor logs. Please ensure that this is not the case first.

Next, you can use a filter like "( rule eq 'rulename' )" without the quotes to search for traffic just for that rule name. OR it can work in reverse if you want to show ALL but a certain rule name with "( rule neq 'rulename' )" where "neq" is NOT equal to.

You can also go into "Monitor > Manage Custom reports and then create a new report, use the traffic summary, and then use the same filter as above in the Query Builder area.

I hope either of these help.

Re: Unused rules

jdprovine — Tue, 12 Apr 2016 20:08:22 GMT

Good suggestions but I already checked to make sure it was set to log - specifically log at sessions end. I have used this filter rule eq rulename and neq filter and it found nothing.

Re: Unused rules

jdprovine — Tue, 12 Apr 2016 20:27:32 GMT

I also tried the custom report and tried several different time frames and found nothing for the used rule that is shadowed by another and looks is showing as used but there is no evidence of it being used or having been used

Re: Unused rules

Raido_Rattameister — Wed, 13 Apr 2016 03:44:02 GMT

From cli command below will show you what is your current retention period for traffic log (how many days worth of log fits into the traffic log database).

show system logdb-quota

With "show system info" you can see uptime of your firewall.

If uptime is longer then retention period then some logs might be overwritten already and that can be reason why rule is used but you don't see it in the log.

Re: Unused rules

jdprovine — Wed, 13 Apr 2016 12:48:08 GMT

Thanks I will take a look at that, so that would be why an unused rule would be showing as used but have no instances in the traffic monitor