09-07-2018 12:56 PM
Is there a way to quickly find (and remove) unused objects in policy ? I mean like address or service objects
09-08-2018 11:29 AM
The easiest way to do this is to utilize the Expedition tool to identify resources that are unused and delete them.
https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
Expedition is a free tool made available by Palo Alto Network to assist with firewall migrations and optimization.
09-10-2018 08:24 AM
But with mirgation tool, I can't remove objects in place ? Or is it possible to import objects to Migration tool, and remove unused dirrectly from Migration tool ?
01-15-2020 01:47 PM - edited 04-12-2023 01:25 PM
Expedition can make changes directly on the firewall. It has been a while since I have done it, but I believe you add the device under Devices and make the changes under your project > Export > API Output Manager. You should know the difference between Atomic and SubAtomic changes.
You could also use "show | match <object-name>" in configuration mode (set format) and see where it is used in the configuration. If the only line is the address object, it is not used.
You could also delete the object. If it is used, you will get an error right away. If not, the delete will be accepted in the candidate configuration. UPDATE: I saw this on Reddit, and it works. Select all the objects. (This may not be quick depending upon the number of objects.) Select Delete and Yes. All unused objects are deleted. All used objects produce an error and are kept. Use Device > Config Audit to see which objects were deleted.
Once Expedition is setup, that is the quickest and easiest.
08-23-2021 05:13 AM
Hi @niuk,
If my post answered your question, could you please click Accept as Solution?
Thanks!
12-21-2022 07:36 AM
In case anyone is stumbling upon this thread in 2022... the suggested method above doesn't seem to work effectively or consistently. Running 9.1.x and our Panorama seems to stop checking after it reaches X errors or objects. I had to go back and select chunks of around 75 or less for it to effectively get rid of unused objects. This is rough when you have 4000+ objects...
Is Palo is ever going to give us a feature to simply remove unused objects in bulk without having to use Expedition?
01-09-2023 07:02 AM
There are a few options. You can talk to your Palo representatives about progressing feature request ID 3159 to have something in the GUI. Expedition is also an option. For automated solutions, you could use the API or one of the SDKs, in fact pan-os-php has some dedicated advice on this topic: https://github.com/PaloAltoNetworks/pan-os-php/wiki/unused-objects, but you could use Python or Go which also have SDKs. It just depends on your preferred approach. Hope that helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
