We have recently migrated from Juniper to Palo Alto firewall and there are numerous firewall rules that are obsolete and potentially a security risk to me. I tried to use "highlight unused rules" button but it does not seem consistent to me. Are the highlighted rules unused since the firewalls start running or simply not currently used at the moment now? (There is a big difference between the two).
Thanks a lot!!
Hello,You should wait for some time after migration to allow firewall analyze ununsed rules.
The show unused rules are tied to the Monitor Logs, so if you are not having good history of logs, then all the rules will be marked as unused rules.
I believe that is why you see inconsistent results.
Below is command to pull a list
>show running rule-use rule-base security type unused vsys vsys1
Hope this helps!
Please mark it as correct answer or helpful if appropriate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!