How to Create Custom Report to Show The Least Used Rules in Security Policies

Printer Friendly Page

To create a custom report to see the least used rules based on the number of bytes/packets, go through the following steps.

 

Steps

  1. Create one custom report from Monitor > Manage Custom Reports and click on Add.
  2. Load Template and select “Top security rules”.
  3. Set Database to Traffic Log.
  4. The Selected Columns on the right must contain "Rules", "Bytes" and "Count" only.
  5. Set Time Frame as desired.
  6. Sort by “Bytes” or “Packets”.  All other options can be left as is.

rule count custom report.png

  1. You can schedule the report or hit “Run now” to get the report instantly.
  2. The output of the report should be similar to the one below.

custom report output.png

owner: aciobanu

Comments

I never found an options listed repeat count

@jdprovine in more recent PAN-OS that column was renamed to 'count', I've updated the article to reflect the most current situation

okay great thanks for update reaper

What if I have more than 500 security rules? Looking for a way to basically see the amount of hits a rule has gotten (Mainly if a rule has not been used) within the past pre-defined time period (i.e. 30 days). I know you can do the hilight unused rules, but that goes based off the last time the dataplane reset. 

Currently you can only reset the unused rules by restarting the dataplane. I'd suggest you reach out to your local SE to have a Feature Request created to reset the counter or add more details to the unused rule option.

A 'workaround' is to change the unused rules, this can be adding a comment or changing the policy name, this will reset the counter on these rules.

 

500 rules sounds like quite a lot. If you were to reach out to your SE, you could also ask them to make a heatmap for you, which will help highlight unused rules and optimalization proposals for large security policies.