highlight unused rules highlights rules possibly used in the past

Reply
L0 Member

highlight unused rules highlights rules possibly used in the past

Hello

I have a query where the highlight unused rules is showing rules as unused, which possibly were used in the past. The security policies were created based on traffic log reports and the same security policies are now showing as unused. I see that the feature says unused since the last reboot, however the device has not been rebooted since the setup, for the past 80 days. I am just trying to justify why these rules are showing up as unused:

> Currently there is no log for that traffic, it has been purged. The log may have appeared 50 days back, but the firewall has only 30 days worth of traffic log. Would this clear the counter/flag for that security policy making it unused again?

> Would renaming the security policy clear this counter/flag marking it as unused?

Thanks & Best Regards,

Vikas

L4 Transporter

Re: highlight unused rules highlights rules possibly used in the past

Vikas,

     At this time, renaming the rule will give it a new ID in the idmgr. The result of this is that the rule will show up as unused after it has been renamed.

Craig

L5 Sessionator

Re: highlight unused rules highlights rules possibly used in the past

Hello Vikas,

Can you please provide the output for below command.

>show system info

Regards,

Hari Yadavalli

L4 Transporter

Re: highlight unused rules highlights rules possibly used in the past

Hello Vikas,

If traffic is flowing for certain security rule then that would be marked as "used rule".

If there is no more traffic matching a rule and right now it is showing "unused rule" then it would stay the same until new traffic matches the rule.

Also by changing the name of the rule to a new name and if there is no traffic passing or hitting that rule it would still be unused.

Unused counters would clear if the DP is restarted. If this is to be done this can be seen at Device Tab > setup > Operations > Restart Dataplane.

Thanks

L5 Sessionator

Re: highlight unused rules highlights rules possibly used in the past

Hi Vikas,

As you mentioned when highlight unused rule check is done. It shows the rules unused since the last restart of the device/dataplane. So it does not depend on the traffic logs so if you do not have logs older than 50 days that should be fine.
This just means that traffic has never hit that rule since the device has been up in this case 80 days.

Hope this helps.

Regards,

Numan

L5 Sessionator

Re: highlight unused rules highlights rules possibly used in the past

Hi,

For today, the only thing you can is just compare the "popularity" of your rule buy creating a custom report based traffic log and on both "security rule" and "repeat count"

palo.jpg

Hope help.

V.

L0 Member

Re: highlight unused rules highlights rules possibly used in the past

Hello

Thanks a lot for your responses. They were indeed very helpful.

I gave it a bit more thought and was able to realize why the rules were showing up as unused.

The new security policies were created based on traffic that was hitting a policy named Default-Allow. They were added above the Default-Allow. Some of these newly created security policies are showing up as unused. For sure some of the traffic patterns that hit the Default-Allow in the past have not been seen again and have therefore not hit the newly created specific rule. Therefore some of these new rules are showing up as unused.

Thanks again & Best Regards,

Vikas

L1 Bithead

Re: highlight unused rules highlights rules possibly used in the past

Hi Vince

 

I appreciate your post, could you help me with details on how did you create the custom report with " based traffic log and on both "security rule" and "repeat count", which query builders did you use for it. Coz from the options vailable I was not able to create the query based on Rule and hit count as you definbed it. 

 

Appreciate your contribution

Dayanand

L2 Linker

Re: highlight unused rules highlights rules possibly used in the past

Hi @VinceM,

 

Which PAN-OS were you using when building this custom report?
I cannot find "Repeat Count". I can only find "Sessions".

 

I'm running PAN 7.1.16

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!