How to quickly find (and remove) unused objects in policy ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to quickly find (and remove) unused objects in policy ?

L3 Networker

Is there a way to quickly find (and remove) unused objects in policy ? I mean like address or service objects

6 REPLIES 6

L3 Networker

The easiest way to do this is to utilize the Expedition tool to identify resources that are unused and delete them.

 

https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool

 

Expedition is a free tool made available by Palo Alto Network to assist with firewall migrations and optimization.

But with mirgation tool, I can't remove objects in place ? Or is it possible to import objects to Migration tool, and remove unused dirrectly from Migration tool ?

Expedition can make changes directly on the firewall.  It has been a while since I have done it, but I believe you add the device under Devices and make the changes under your project > Export > API Output Manager.  You should know the difference between Atomic and SubAtomic changes.

 

You could also use "show | match <object-name>" in configuration mode (set format) and see where it is used in the configuration.  If the only line is the address object, it is not used.

 

You could also delete the object.  If it is used, you will get an error right away.  If not, the delete will be accepted in the candidate configuration.  UPDATE:  I saw this on Reddit, and it works.  Select all the objects.  (This may not be quick depending upon the number of objects.)  Select Delete and Yes.  All unused objects are deleted.  All used objects produce an error and are kept.  Use Device > Config Audit to see which objects were deleted.

 

Once Expedition is setup, that is the quickest and easiest.

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @niuk,

 

If my post answered your question, could you please click Accept as Solution?

 

Thanks!

Help the community: Like helpful comments and mark solutions.

L0 Member

In case anyone is stumbling upon this thread in 2022... the suggested method above doesn't seem to work effectively or consistently. Running 9.1.x and our Panorama seems to stop checking after it reaches X errors or objects. I had to go back and select chunks of around 75 or less for it to effectively get rid of unused objects. This is rough when you have 4000+ objects...

Is Palo is ever going to give us a feature to simply remove unused objects in bulk without having to use Expedition?

There are a few options. You can talk to your Palo representatives about progressing feature request ID 3159  to have something in the GUI. Expedition is also an option. For automated solutions, you could use the API or one of the SDKs, in fact pan-os-php has some dedicated advice on this topic: https://github.com/PaloAltoNetworks/pan-os-php/wiki/unused-objects, but you could use Python or Go which also have SDKs. It just depends on your preferred approach. Hope that helps

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
  • 25456 Views
  • 6 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!