Tips & Tricks: How to Identify Unused Policies on a Palo Alto Networks Device

Find out how exactly you can identify unused rules, which is an ideal shortcut for security audits if you have hundreds if not thousands of policies.

"Highlight Unused Rules" is a priceless feature when it comes to auditing a security policy—especially if you have hundreds of rules and not enough time to manually check whether it's been used or not.

When it's that time of year again and you need to audit your firewall rules, you want to have a quick way to audit them. This nifty little feature called Highlight Unused Rules is here to help!

To identify rules that have not been used since the last time the firewall was restarted, check Highlight Unused Rules. Unused rules have a dotted background. Below is a screenshot of the checkbox on a PAN-OS 10.1 version. This easily missed checkbox is available on EVERY page under the Policies tab.

Notice how many of the rules get the dotted yellow background as soon as I check the box.  You'll notice in the screenshot below that ONLY rules 29, 32 and 34 have no dotted background.

When policy rule hit count is enabled, the Hit Count data is used to determine whether a rule is unused.

You can enable the column 'Rule Usage Hit Count' which will give you the information you're looking for. Notice how in the screenshot below the HIT COUNT column (1) shows zero hits for the unused rules and 638 hits (2) for rule #29.

You can then decide whether to Disable a rule or Delete it or leave it as it is. 

If you want to check using the CLI you can use the following command:

> show running rule-use highlight rule-base security type unused vsys vsys1

Other types of unused policies (such as NAT, decryption, app-override, PBF, QOS, etc) can also be checked by specifying the appropriate option:

> show running rule-use highlight rule-base <option>

where <option> is one of the following:

  app-override            application override policy
  authentication          authentication policy
  decryption              ssl decryption policy
  dos                     dos protection policy
  nat                     nat policy
  network-packet-broker   network packet broker policy
  pbf                     policy based forwarding policy
  qos                     qos policy
  sdwan                   sdwan policy
  security                security policy
  tunnel-inspect          Tunnel Content Inspection policy

As with the the unused rules displayed on the web UI, the output on the CLI is dependent on dataplane restart—the rules not used since the dataplane started up will be displayed.

Feel free to share your questions, comments and ideas in the section below.

Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.

Kiwi out!