Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet
Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects.
In this case we will search if in our config exist any Address-Group with just one Member. If exist we will replace the Address-Group by the Member in any place we find it used. It can be used as part of another Address-Group or can be used as source or destination in any Policy.
Search for Address-Groups with one Member: Go to Objects and point your mouse on the Address-Group Panel and over one Address-Group right-click with your mouse and select Predefined Filter and select the (Predefined) Groups with one Member.
Select the Tab TOOLS. From the right Panel select SEARCH & REPLACE. Expedition will show you where those Address-Groups where used. Select from Address-Groups and Policies where they were used and click on Add to Replace
Now click on the Tab called REPLACE, now for all the objects selected we will apply on the option Replace by the option Members and click on the Replace All button at the bottom of the page - right.
After the action completes we can go back to OBJECTS and check if those Address-Groups now are shown as unused. In case afirmative you can then safely remove them.