How do I find out every place an object is used?

Reply
L2 Linker

How do I find out every place an object is used?

Does anyone know a good way to find out everywhere an object is used?

  • What security and NAT rules is it in?
  • What address groups is it in?
  • What are the rules the address groups the object is in used?

It would be great if there were an easy way to this.


Accepted Solutions
L4 Transporter

PA really, really needs to implement Check Point's "Where used?" functionality. The backend code that determines where objects are used is already there, because if you try to delete an object that is used in the firewall rule base it won't let you, and it will prompt you as to where the object exists.

That's the closest I've been able to get to "Where used?" - try to delete the object, and if it doesn't let you it will tell you where the object is used. If it does let you delete it you can just "Revert to last saved configuration"

View solution in original post


All Replies
L4 Transporter

PA really, really needs to implement Check Point's "Where used?" functionality. The backend code that determines where objects are used is already there, because if you try to delete an object that is used in the firewall rule base it won't let you, and it will prompt you as to where the object exists.

That's the closest I've been able to get to "Where used?" - try to delete the object, and if it doesn't let you it will tell you where the object is used. If it does let you delete it you can just "Revert to last saved configuration"

View solution in original post

L2 Linker

Thanks for the advice, I was afraid that might be the case.  I will put in a feature request (or another vote for any existing FR).

I will add that Cisco ASA has this capability as well.

L4 Transporter

If you get an FR let me know, I'd like to talk to my SE and vote for that FR too.

Thanks,

Eric

L5 Sessionator

Hello ericgearhart and DMast,

Following is the feature request submitted to the development team for 'Where used objects functionality':

FR ID : 1285

Thanks and regards,

Kunal Adak

L2 Linker

Thanks kadak!  I will add my vote to the FR.

L1 Bithead

I will definitely be adding my vote as well. Thanks

L7 Applicator

Thanks for submitting.  I've added a vote for FR ID : 1285 too.

Right now I use the following technique

Change the display of configuration to set mode:

set cli config-output-format set

the pipe the configuration to match with the address object name

show vsys | match net-192.168.1.0-24

this pulls out all the set commands that contain the object name.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Thank you Steven for sharing! I'm going to go ahead and steal your idea and share it with my team :-)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!