topic Re: Unused Rules in General Topics

Unused Rules

jdprovine — Tue, 13 Oct 2015 20:04:20 GMT

There is a feature to highlight unused rules. If a rule goes from used to unused does that feature show it as unused and if so how long does it take to show it as unused?

Re: Unused Rules

cpainchaud — Tue, 13 Oct 2015 21:36:23 GMT

a quick search like https://live.paloaltonetworks.com/t5/forums/searchpage/tab/message?filter=labels&q=unused+rules

the first 2 links say that Unused flag is reset when FW is rebooted. I think that answers your question.

Re: Unused Rules

pankaku — Wed, 14 Oct 2015 12:12:10 GMT

The unused rule are the security policy which are not used since last reboot. If a rule is used even once it will be marked as used.

Re: Unused Rules

Raido_Rattameister — Wed, 14 Oct 2015 13:40:20 GMT

To be more specific - this counter is reset when dataplane is restarted not full firewall.

Re: Unused Rules

jdprovine — Wed, 14 Oct 2015 19:54:43 GMT

But if it never is used again will it always show are used? Based I what I read in other posts it will start showing used after the next reboot

Re: Unused Rules

jdprovine — Wed, 14 Oct 2015 19:56:19 GMT

I think it does answer my question. So if a rule that was used at least once but never again, it won't show unsed till the next reboot

Re: Unused Rules

Raido_Rattameister — Thu, 15 Oct 2015 09:54:48 GMT

Firewall (or dataplane) restart will restart counter.

When traffic matches rule at least once after reboot then it shows up as used rule.

When rule has not matched starting from last reboot rule shows up as unmatched rule.

Re: Unused Rules

Brandon_Wertz — Thu, 15 Oct 2015 13:03:13 GMT

Not exactly certain what you're looking for, but you might want to look into a tool called FireMon.

The UI of this tool replicates other product enviornments.

FireMon has the ability to suggest rule combination changes. Not only will it tell you when/last/how often a rule was used. It gives you usage of objects within a specific rule. (Something Palo UI won't do)

FireMon works with ASAs, CheckPoint, Palo...a wide varitey of platforms.

Re: Unused Rules

Brandon_Wertz — Thu, 15 Oct 2015 14:44:19 GMT

Here's what the report looks like:

You can click each count and view specifics for each rule.

Re: Unused Rules

jdprovine — Thu, 14 Apr 2016 13:24:02 GMT

So a rule can go unused and show as used until its rebooted. So that would make sense why I have a rule that shows used since the last time I rebooted the FW on March 15 and no longer appears in the traffic monitor after March 20. That can be a little hard to clean up the firewall since randomly rebooting the firewall is not a very viable option. LOL

Re: Unused Rules

jdprovine — Thu, 14 Apr 2016 14:03:26 GMT

I haved looked at firemon and I love it but the budget here does not love it LOL

Re: Unused Rules

cpainchaud — Thu, 14 Apr 2016 16:02:05 GMT

You may want to look at the very bottom of this article: https://live.paloaltonetworks.com/t5/API-Articles/rules-edit-php-to-manage-edit-export-rules-from-CLI/ta-p/53321