How to Identify Unused Policies on a Palo Alto Networks Device

This document describes how to identify the unused security policies on a Palo Alto Networks device.

• PAN-OS 7.1 and above.
• Palo Alto Firewall.

To view the unused rules on the Web UI:

1. Navigate to Policies > Security
2. Check Highlight Unused Rules at the bottom of the page

• Any rules not used since the dataplane started up will be highlighted.
• The counters for unused rules are initialized when the dataplane boots, and they are cleared anytime the dataplane restarts.

To verify if these rules have been used, look at a pre-defined report called Security Policies. This report will show the rule, bytes and the amount of sessions.

1. Go to Monitor > Reports.
2. On the right side of the display, select Traffic Reports > Security Rules.
3. Select the day for which to run the report for.
4. Click on Export to PDF (or csv / xml)

CLI commands for different PAN-OS listed below:

PAN-OS 7.1:show running rule-use vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|cp|dos> type <used|unused>
Example:

admin@PA-5050> show running rule-use vsys vsys1 rule-base security type unused

rule1
intrazone-default

PAN-OS 8.1, 9.0 and 9.1:
show running rule-use highlight vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|authentication|dos|tunnel-inspect> type <used|unused>

Example:

admin@Lab-2(active)> show running rule-use highlight vsys vsys1 rule-base security type unused

EWP-NETP0006530-5
intrazone-default