https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6527#M4765 <HTML><HEAD></HEAD><BODY><P>Hello COS,</P><P></P><P>If the rule is been used atleast once, we cannot reset the counter unless a restart is done.</P><P>We can however change the name of the existing NAT/Policy rule ( "X" to "X-1"), This will again wait for a new packet to hit the rule, so that the "highlight unused" feature will work.</P><P>If it is a Rule constantly getting used(example Dynamic ISP NAT), it will be very hard to use the highlight unused feature. </P></BODY></HTML> Tue, 24 Feb 2015 13:54:14 GMT RajeshB 2015-02-24T13:54:14Z https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6522#M4760 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I'm doing maintenance and have doubts about a NAT rule.</P><P>I have enabled the "Highlight Unused Rules" and this rule seems to be that using currently. But we believe that this is not in use.</P><P>How can I see the activity related to a policy NAT?</P><P>How can I see that affects this rule?</P><P>How can I check the activity NAT using CLI?</P><P></P><P>Thanks and regards,</P></BODY></HTML> Mon, 23 Feb 2015 19:11:33 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6522#M4760 SOC_CSG 2015-02-23T19:11:33Z https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6523#M4761 <HTML><HEAD></HEAD><BODY><P>Hi CoS</P><P></P><P>You can check the sessions from CLI using the below command:</P><P>show session all filter nat-rule &lt;rule-name&gt;</P><P></P><P>To see what NAT rules are matched for a specific traffic you can also use the test command:</P><P>test nat-policy-match &lt;criteria&gt;</P></BODY></HTML> Mon, 23 Feb 2015 21:31:09 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6523#M4761 bat 2015-02-23T21:31:09Z https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6524#M4762 <HTML><HEAD></HEAD><BODY><P>Hello Cos,</P><P></P><P>It looks the "Highlight unused rule" option is working for Security Policy but not for the NAT policy on my PAN firewall. So, the CLI command mentioned by <STRONG style="font-size: 11.6999998092651px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1246" data-externalid="" data-presence="null" data-userid="28201" data-username="bat" href="https://live.paloaltonetworks.com/people/bat" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">bat</A></STRONG> would the right way to determine it. </P><P></P><P>Thanks</P></BODY></HTML> Mon, 23 Feb 2015 22:19:02 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6524#M4762 HULK 2015-02-23T22:19:02Z https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6525#M4763 <HTML><HEAD></HEAD><BODY><P>Hello COS,</P><P></P><P>Please find below the observed behavior:</P><P></P><P>I have added new NAT rules. Before commit, if iclick into the <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px;">"Highlight unused rule",</SPAN> The feature works as expected. However, once commit is done in the PA, it is not highlighted.</P><P></P><P>There is a BUG open for this: </P><P></P><P><STRONG>Bug 65553 - After commit, Highlight Unused Rules does not wroks for NAT rules</STRONG></P><P>Resolved in:<STRONG>PAN OS 6.1.2</STRONG></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 23 Feb 2015 22:28:36 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6525#M4763 HULK 2015-02-23T22:28:36Z https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6526#M4764 <HTML><HEAD></HEAD><BODY><P>Thanks for letting us know the bug id and resolution version.</P></BODY></HTML> Tue, 24 Feb 2015 00:31:04 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6526#M4764 pulukas 2015-02-24T00:31:04Z https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6527#M4765 <HTML><HEAD></HEAD><BODY><P>Hello COS,</P><P></P><P>If the rule is been used atleast once, we cannot reset the counter unless a restart is done.</P><P>We can however change the name of the existing NAT/Policy rule ( "X" to "X-1"), This will again wait for a new packet to hit the rule, so that the "highlight unused" feature will work.</P><P>If it is a Rule constantly getting used(example Dynamic ISP NAT), it will be very hard to use the highlight unused feature. </P></BODY></HTML> Tue, 24 Feb 2015 13:54:14 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6527#M4765 RajeshB 2015-02-24T13:54:14Z https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6528#M4766 <HTML><HEAD></HEAD><BODY><P>Also keep in mind that it will only highlight unused rules since the last reboot. But it sounds like the bug maybe causing it.</P></BODY></HTML> Tue, 24 Feb 2015 23:13:05 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-rules-log-highlight-unused-rules/m-p/6528#M4766 oklier 2015-02-24T23:13:05Z