topic Re: Viewing Unused Address Objects in General Topics

Viewing Unused Address Objects

evan.wathington — Thu, 02 Nov 2017 23:02:26 GMT

Hello fellow engineers!

I'm in the process of a firewall audit in my environment and I've got a lot of address objects configured. I'd like to trim the list down and get rid of addresses that are no longer valid (as in haven't been used in over a year). Is something like this possible?

I saw this link about a Perl Script, but it doesn't seem promising.

Are there any other methods where I could get an accurate view of object usage?

If this has been addressed in a previous thread, please direct me there. I couldn't find anything in my initial search.

Thanks.

—E

Re: Viewing Unused Address Objects

BenLassila — Sat, 04 Nov 2017 15:56:49 GMT

PanOS 7.0 Global Find helps a little https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/management-features/global-find.html I'm guessing you have too many to do that manually. The Firewall Migration Tool has some clean-up functionality https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool I haven't tried yet whether it can also detect junk in a PA policy.

Re: Viewing Unused Address Objects

BPry — Mon, 06 Nov 2017 17:55:58 GMT

You can always simply attempt to delete the objects in question. If they are in use the PA will generate an alerts about it being utilized, and tell you where exactly the object is being used. When I do an object cleanup I usually just delete everything that isn't actively being used, way easier to have to create a few address objects when they are needed again then spending the time to verify they won't be needed going forward.

Re: Viewing Unused Address Objects

evan.wathington — Tue, 07 Nov 2017 00:34:32 GMT

The Migration Tool could be helpful. (I'm not sure if you've used it for migrations before, but it needs a bit of work to be useful). I'll look into that as an option.

Re: Viewing Unused Address Objects

evan.wathington — Tue, 07 Nov 2017 00:39:26 GMT

There are two types of objects that I want to clean up - objects that are not in a policy and objects that are in a policy and are not being utilized over a certain amount of time.

It's tough to gather this data from the Palos because the address objects only exists as objects in the Objects tab. Once they're a part of a session the Palo can't record them as individual objects, but as just a part of a session.

I'm reaching total object limitations and looking to sift through the data to remove as much as possible that's no longer being used.

Thanks for all of the suggestions. I appreciate. it.

—E

Re: Viewing Unused Address Objects

Ayesha — Mon, 02 Aug 2021 14:46:06 GMT

Did you find the solution ?