NAT Rules Log / Highlight Unused Rules

Reply
L4 Transporter

NAT Rules Log / Highlight Unused Rules

Hi,

I'm doing maintenance and have doubts about a NAT rule.

I have enabled the "Highlight Unused Rules" and this rule seems to be that using currently. But we believe that this is not in use.

How can I see the activity related to a policy NAT?

How can I see that affects this rule?

How can I check the activity NAT using CLI?

Thanks and regards,

bat
L5 Sessionator

Re: NAT Rules Log / Highlight Unused Rules

Hi CoS

You can check the sessions from CLI using the below command:

show session all filter nat-rule <rule-name>

To see what NAT rules are matched for a specific traffic you can also use the test command:

test nat-policy-match <criteria>

L7 Applicator

Re: NAT Rules Log / Highlight Unused Rules

Hello Cos,

It looks the "Highlight unused rule" option is working for Security Policy but not for the NAT policy on my PAN firewall. So, the CLI command mentioned by bat would the right way to determine it.

Thanks

Highlighted
L7 Applicator

Re: NAT Rules Log / Highlight Unused Rules

Hello COS,

Please find below the observed behavior:

I have added new NAT rules. Before commit, if iclick into the "Highlight unused rule", The feature works as expected. However, once commit is done in the PA, it is not highlighted.

There is a BUG open for this:

Bug 65553 - After commit, Highlight Unused Rules does not wroks for NAT rules

Resolved in:PAN OS 6.1.2

Hope this helps.

Thanks

L7 Applicator

Re: NAT Rules Log / Highlight Unused Rules

Thanks for letting us know the bug id and resolution version.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L0 Member

Re: NAT Rules Log / Highlight Unused Rules

Hello COS,

If the rule is been used atleast once, we cannot reset the counter unless a restart is done.

We can however change the name of the existing NAT/Policy rule ( "X" to "X-1"), This will again wait for a new packet to hit the rule, so that the "highlight unused" feature will work.

If it is a Rule constantly getting used(example Dynamic ISP NAT), it will be very hard to use the highlight unused feature.

L3 Networker

Re: NAT Rules Log / Highlight Unused Rules

Also keep in mind that it will only highlight unused rules since the last reboot. But it sounds like the bug maybe causing it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!