topic Unused rules showing used in General Topics

Unused rules showing used

jdprovine — Tue, 14 Mar 2017 16:00:23 GMT

I just upgraded and rebooted my firewall. When I choose to highlight unused rules it is showing rules that I can not find any traffic for in the traffic monitor as used. I thought the reboot would reset everything but I have no idea why a rule that appears to be unused is showing used - any ideas?

Re: Unused rules showing used

BPry — Tue, 14 Mar 2017 19:20:50 GMT

It isn't a rule required by a following rule is it. For example when traffic originally gets mated to an 'SSL' rule and only then switches over to say 'bittorrent' or something like that?

Re: Unused rules showing used

jdprovine — Tue, 14 Mar 2017 19:22:14 GMT

I am not sure what you mean by required by a following rule, I thought rules either passed the traffic or didn't

Re: Unused rules showing used

BPry — Wed, 15 Mar 2017 13:27:45 GMT

Some applications do not get identified right away, or an admin has reasons to split the rule up into a few different pieces instead of enabling all the required applications in one rule. In this case you could have traffic need to hit something like your 'ssl' rule before the app is identified and it switches over to say your 'skype' or 'bittorrent' rule.

Re: Unused rules showing used

jdprovine — Wed, 15 Mar 2017 13:38:26 GMT

I don't really follow that explaination, all I know is that I have rule that is set up to be used for smtp traffic and even after I rebooted the firewall it is showing as used but not showing any traffic passing through it on the traffic monitor even now

Re: Unused rules showing used

pulukas — Sun, 02 Apr 2017 12:22:43 GMT

Can you confirm that the rule in question has the log action turned on in the action tab?

The unused rules function is a simple flag, as soon as the rule processes any match the flag will turn off and the rule shows as having been used since the reboot.

Logging is a choice on a per policy basis for session start, session end or both.

If logging is at session end, and the application involved keeps the session open for hours or days then there will be not log. But with your case this is not likely.

So when doing this type of testing we sometimes add log at session start to be sure to see the log as soon as possible in the logs.

so if your rule is showing used and your rule is configured to log and you see no logs this would be an possible bug to take up with a support ticket.

Re: Unused rules showing used

jdprovine — Mon, 03 Apr 2017 13:06:51 GMT

Yes it is set to log at session end and it also has a security profile attached to it. I have rebooted the firewall it show unused before the reboot and unused after the reboot. I tried changing the names a couple times and I have scoured the logs for any evidence of use.

Re: Unused rules showing used

jdprovine — Mon, 03 Apr 2017 13:10:06 GMT

My rule is showing unused and has shown unused for several months even after a reboot. I guess it is possible that it really is unused I just want confirmation before disabling it

Re: Unused rules showing used

bradk14 — Mon, 03 Apr 2017 14:03:27 GMT

depending on how specific (or generic) your rule is, have you tried the test security-policy-match command to see which rule your traffic expected based on the policy is actually hitting? it may be shadowed, tho it should report that as a warning when committing.

Re: Unused rules showing used

jdprovine — Mon, 03 Apr 2017 14:15:32 GMT

So I would run this on the command line test security-policy-match name of policy?

Re: Unused rules showing used

jdprovine — Mon, 03 Apr 2017 14:47:54 GMT

well appears I looked at the rule when I was checking for log at session end, but I did find the rule that was showing used but nothing in the log to have that issues 😛 Thanks LOL