Rule Hit Count in BPA Report

L4 Transporter

Rule Hit Count in Best Practice Assessment (BPA) Report


With BPA version 3.24, we are adding a new feature in BPA to process rule hit count (rules that have traffic flowing).

We should be able to see this addition on PAN-OS version 9.0 and later firewalls running a BPA report.


Our customers have many firewalls and have many security policies within them. All users are trying to increase the adoption of various capabilities on our security policies, such as App-ID adoption, credential phishing capability with in a URL filtering profile, IPS features such as anti-virus, anti-spyware, and vulnerability protection, and so on. We also know that we have a lot of security policies on which we want to increase these different capabilities. It would be good to know which policies are most used to pass traffic in the environment. In addition, we would also like to know which of the policies are not used at all for extended periods of time. 


If we knew the policies that are being frequently used for processing traffic through the firewall, we would rather focus on securing these policies first by enabling the above different capabilities. This will help us focus the feature adoption on the necessary policies and skip adding these capabilities on policies that are not used.


We may have security policies in our rulebase that are not being used. These policies may have been added for various reasons, such as temporary rules, but have not been deleted and migrated rules from previous device, but have not been necessary.


With this feature addition we can just filter security policies in the BPA report that are only passing traffic. We believe if a security policy has not been used for the recent 90 days, then it is an unnecessary policy. If that policy is weak then it is a compromise to the network and needs to be deleted.


In the example below, we can see where to find the option to select only security policies that are passing traffic "Enable Traffic Hit Rules (Last 90 days)." We need to enable this option and apply the filters.


Screen Shot 2019-12-30 at 11.05.13 AM.png


When the filters are applied, you can see that the total rule count is now 24, which changed from 38 in the previous screenshot, indicating that there are 12 rules that were not passing traffic for more than 90 days. So we can exclude those rules and increase our security adoption on the 24 rules that needs the capability.


Screen Shot 2019-12-30 at 11.06.06 AM.png


In a different view under the Zones tab, you may also see how it looks before applying the filter "Enable Traffic Hit Rule (Last 90 days)."


Screen Shot 2019-12-30 at 11.07.13 AM.png


Shown below, is what the results will look after applying the filter.

Screen Shot 2019-12-30 at 11.07.25 AM.png


We can also use the "Rule Detail" tab to use filters, and identify all security policies that have rule hits. We added two new columns for Rule Hit Count and Rule Last Hit, which would help identify unused rules with the Hit count being 0. If used, we can see the last time they have been hit and traffic has been flowing through it.


Screen Shot 2019-12-30 at 11.09.37 AM.png


We have also added a new column in the BPA report for Security Rule Checks to identify rule hit policies and different best practice checks that needs to be reviewed. To find it, go to Component > Policies > Security Rule Checks.


BPA Report for Security Rule ChecksBPA Report for Security Rule Checks