https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205808#M60408 <P>Let us say you have a firewall pair configured and rules configured and one day you fail them over - or they fail over. The primary is rebooted. When the primary comes back up all sessions are transferred back and everything is fine. Except, as I understand it, the only time rule counters are reset is after a reboot (or the backplane is restarted). So if those sessions are never again dropped, and thus never hit the rule allowing them again, that rule may appear as unused.</P><P>&nbsp;</P><P>Is this correct and, if so, is there a way to resovle it for a rule-base review - to know which rules are really not being used and avoid disabling "unused rules" that are really just maintaining their sessions between failovers?</P> Thu, 15 Mar 2018 23:57:39 GMT Knobdy 2018-03-15T23:57:39Z https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205808#M60408 <P>Let us say you have a firewall pair configured and rules configured and one day you fail them over - or they fail over. The primary is rebooted. When the primary comes back up all sessions are transferred back and everything is fine. Except, as I understand it, the only time rule counters are reset is after a reboot (or the backplane is restarted). So if those sessions are never again dropped, and thus never hit the rule allowing them again, that rule may appear as unused.</P><P>&nbsp;</P><P>Is this correct and, if so, is there a way to resovle it for a rule-base review - to know which rules are really not being used and avoid disabling "unused rules" that are really just maintaining their sessions between failovers?</P> Thu, 15 Mar 2018 23:57:39 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205808#M60408 Knobdy 2018-03-15T23:57:39Z https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205993#M60473 <P>What you really want is a new feature in PAN-OS 8.1, but I wouldn't recommend installing it quite yet.</P><P>&nbsp;</P><P><A href="https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/management-features/rule-usage-tracking" target="_blank">https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/management-features/rule-usage-tracking</A></P><P>&nbsp;</P> Fri, 16 Mar 2018 16:09:41 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205993#M60473 mlinsemier 2018-03-16T16:09:41Z https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205994#M60474 So I’m correct...that’s not good. Fri, 16 Mar 2018 16:12:32 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205994#M60474 Knobdy 2018-03-16T16:12:32Z https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205997#M60476 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85039">@Knobdy</a>,</P><P>You are indeed correct. Once a PAN reboots, the counters are reset to 0 regardless of current sessions on the other HA unit. I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7143">@mlinsemier</a>, wait on 8.1 for a while till they work out some bugs.</P><P>&nbsp;</P><P>Regards,</P> Fri, 16 Mar 2018 16:17:42 GMT https://live.paloaltonetworks.com/t5/general-topics/rule-counters-on-ha-pair-with-transfered-sessions/m-p/205997#M60476 OtakarKlier 2018-03-16T16:17:42Z