Cleaning obsolete firewall rules

Showing results for 
Search instead for 
Did you mean: 

Cleaning obsolete firewall rules

Not applicable

Hi all,

We have recently migrated from Juniper to Palo Alto firewall and there are numerous firewall rules that are obsolete and potentially a security risk to me. I tried to use "highlight unused rules" button but it does not seem consistent to me. Are the highlighted rules unused since the firewalls start running or simply not currently used at the moment now? (There is a big difference between the two).

Thanks a lot!!


L3 Networker

Hello,You should wait for some time after migration to allow firewall analyze ununsed rules.

The show unused rules are tied to the Monitor Logs, so if you are not having good history of logs, then all the rules will be marked as unused rules.

I believe that is why you see inconsistent results.

FYI only

Below is command to pull a list

>show running rule-use rule-base security type unused vsys vsys1

Hope this helps!

Please mark it as correct answer or helpful if appropriate.

L5 Sessionator

"highlight unused rules" shows the rules that are not used by the device since the start of the dataplane.

Not applicable

Thanks the replies. It is crystal clear to me know.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!