https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202011#M59642 <P>I assume there is no report to list address objects that have not been used</P><P>&nbsp;</P><P>Ones that may or may not be in rules, relate to long dead or incorrectly entered endpoints,&nbsp;that have not generated any traffic.</P><P>&nbsp;</P><P>I have seen the "Shared_dup_and_unused... script, but don't think that gives me the desired result.</P><P>&nbsp;</P><P>Unless someone has something already, I think it's a new script to parse the traffic logs.</P><P>&nbsp;</P><P>Cheers</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 23 Feb 2018 15:15:51 GMT RobinClayton 2018-02-23T15:15:51Z https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202011#M59642 <P>I assume there is no report to list address objects that have not been used</P><P>&nbsp;</P><P>Ones that may or may not be in rules, relate to long dead or incorrectly entered endpoints,&nbsp;that have not generated any traffic.</P><P>&nbsp;</P><P>I have seen the "Shared_dup_and_unused... script, but don't think that gives me the desired result.</P><P>&nbsp;</P><P>Unless someone has something already, I think it's a new script to parse the traffic logs.</P><P>&nbsp;</P><P>Cheers</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 23 Feb 2018 15:15:51 GMT https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202011#M59642 RobinClayton 2018-02-23T15:15:51Z https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202151#M59667 <P>Correct, no current feature.&nbsp; Do contact your sales engineer and vote for FR 3159.</P><P>PAN maintains an internal database of customer "Feature Requests" and each is assigned an ID number.</P><P>Companies can add the "vote" for specific requests via your sales engineer.</P><P>&nbsp;</P><P>Highlight Unused Objects</P><P>FR&nbsp; 3159</P><P>&nbsp;</P> Sat, 24 Feb 2018 18:59:27 GMT https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202151#M59667 pulukas 2018-02-24T18:59:27Z https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202180#M59670 <P>You can use the PANW Migration Tool;</P><P><A href="https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/MigrationTool-3-3-Info-and-Guide/ta-p/72559" target="_blank">https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/MigrationTool-3-3-Info-and-Guide/ta-p/72559</A></P><P>&nbsp;</P><P>Load a runnign config of your firewall(s) into that, and it has a section down the bottom of the 'Objects' tab to&nbsp;show/remove unused address objects</P> Mon, 26 Feb 2018 01:55:05 GMT https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202180#M59670 Retired Member 2018-02-26T01:55:05Z https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202227#M59675 <P>It's a while sice I have used the PAN migration tool, but I don't think it will do what I want.</P><P>&nbsp;</P><P>The need is to find objects that may or may not be in a rule (not just ones that are not used in any rule) which have had no traffic logged from them.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>As for logging it with our sales, I doubt they would ever pass it on and&nbsp;I doubt we will use them again!</P><P>&nbsp;</P><P>Rob</P> Mon, 26 Feb 2018 09:16:39 GMT https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/202227#M59675 RobinClayton 2018-02-26T09:16:39Z https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/203387#M59923 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71756">@RobinClayton</a></P><P>&nbsp;</P><P>As for a lot of topics without solution, the solution is the XML API.</P><P>If you really need something like that to check for used objects, you can write a script for doing exactly that:</P><OL><LI>Parse the ruleset for all the objects used</LI><LI>Lookup these objects in the configuration to get the ip address/subnet/IP range</LI><LI>Use the information from point 2 to query the logs for each object/address one by one and exclude the drop all policy in your query</LI></OL><P>Obviously depending on the size of the ruleset and the amount of objects this script can easily run for hours, but at the end you could have your custom object usage report.</P><P>&nbsp;</P><P>Or use something like Tufin, to do this job. But even if you are not familiar with scripting, doing it by yourself is probably less expensive (unless you have other things wher Tufin would help you that are also time consuming)</P> Sat, 03 Mar 2018 08:47:26 GMT https://live.paloaltonetworks.com/t5/general-topics/impossible-list-unused-addres-objects/m-p/203387#M59923 Remo 2018-03-03T08:47:26Z