Find out how exactly you can identify unused rules, which is an ideal shortcut for security audits if you have hundreds if not thousands of policies.
"Highlight Unused Rules" is a priceless feature when it comes to auditing a security policy—especially if you have hundreds of rules and not enough time to manually check whether it's been used or not.
When it's that time of year again and you need to audit your firewall rules, you want to have a quick way to audit them. This nifty little feature called Highlight Unused Rules is here to help!
To identify rules that have not been used since the last time the firewall was restarted, check Highlight Unused Rules. Unused rules have a dotted background. Below is a screenshot of the checkbox on a PAN-OS 10.1 version. This easily missed checkbox is available on EVERY page under the Policies tab.
Notice how many of the rules get the dotted yellow background as soon as I check the box. You'll notice in the screenshot below that ONLY rules 29, 32 and 34 have no dotted background.
When policy rule hit count is enabled, the Hit Count data is used to determine whether a rule is unused.
You can enable the column 'Rule Usage Hit Count' which will give you the information you're looking for. Notice how in the screenshot below the HIT COUNT column (1) shows zero hits for the unused rules and 638 hits (2) for rule #29.
You can then decide whether to Disable a rule or Delete it or leave it as it is.
If you want to check using the CLI you can use the following command:
> show running rule-use highlight rule-base security type unused vsys vsys1
Other types of unused policies (such as NAT, decryption, app-override, PBF, QOS, etc) can also be checked by specifying the appropriate option:
> show running rule-use highlight rule-base <option>