- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
"Highlight Unused Rules" is a priceless feature when it comes to auditing a security policy—especially if you have hundreds of rules and not enough time to manually check whether it's been used or not.
When it's that time of year again and you need to audit your firewall rules, you want to have a quick way to audit them. This nifty little feature called Highlight Unused Rules is here to help!
To identify rules that have not been used since the last time the firewall was restarted, check Highlight Unused Rules. Unused rules have a dotted background. Below is a screenshot of the checkbox on a PAN-OS 10.1 version. This easily missed checkbox is available on EVERY page under the Policies tab.
Notice how many of the rules get the dotted yellow background as soon as I check the box. You'll notice in the screenshot below that ONLY rules 29, 32 and 34 have no dotted background.
When policy rule hit count is enabled, the Hit Count data is used to determine whether a rule is unused.
You can enable the column 'Rule Usage Hit Count' which will give you the information you're looking for. Notice how in the screenshot below the HIT COUNT column (1) shows zero hits for the unused rules and 638 hits (2) for rule #29.
You can then decide whether to Disable a rule or Delete it or leave it as it is.
If you want to check using the CLI you can use the following command:
> show running rule-use highlight rule-base security type unused vsys vsys1
Other types of unused policies (such as NAT, decryption, app-override, PBF, QOS, etc) can also be checked by specifying the appropriate option:
> show running rule-use highlight rule-base <option>
where <option> is one of the following:
app-override application override policy
authentication authentication policy
decryption ssl decryption policy
dos dos protection policy
nat nat policy
network-packet-broker network packet broker policy
pbf policy based forwarding policy
qos qos policy
sdwan sdwan policy
security security policy
tunnel-inspect Tunnel Content Inspection policy
As with the the unused rules displayed on the web UI, the output on the CLI is dependent on dataplane restart—the rules not used since the dataplane started up will be displayed.
Feel free to share your questions, comments and ideas in the section below.
Thank you for taking time to read this blog.
Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.
Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
1 Like | |
1 Like | |
1 Like |