This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Impossible? List unused Addres Objects?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Impossible? List unused Addres Objects?

RobinClayton
L4 Transporter

‎02-23-2018 07:15 AM

I assume there is no report to list address objects that have not been used

 

Ones that may or may not be in rules, relate to long dead or incorrectly entered endpoints, that have not generated any traffic.

 

I have seen the "Shared_dup_and_unused... script, but don't think that gives me the desired result.

 

Unless someone has something already, I think it's a new script to parse the traffic logs.

 

Cheers

 

Rob

 

 

 

0 Likes Likes
4 REPLIES 4

pulukas
L7 Applicator

‎02-24-2018 10:59 AM

Correct, no current feature.  Do contact your sales engineer and vote for FR 3159.

PAN maintains an internal database of customer "Feature Requests" and each is assigned an ID number.

Companies can add the "vote" for specific requests via your sales engineer.

 

Highlight Unused Objects

FR  3159

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

sam_miller
L2 Linker

‎02-25-2018 05:55 PM

You can use the PANW Migration Tool;

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/MigrationTool-3-3-Info-and-Guide/ta-p/7...

 

Load a runnign config of your firewall(s) into that, and it has a section down the bottom of the 'Objects' tab to show/remove unused address objects

0 Likes Likes

RobinClayton
L4 Transporter
In response to sam_miller

‎02-26-2018 01:16 AM

It's a while sice I have used the PAN migration tool, but I don't think it will do what I want.

 

The need is to find objects that may or may not be in a rule (not just ones that are not used in any rule) which have had no traffic logged from them.

 

 

 

As for logging it with our sales, I doubt they would ever pass it on and I doubt we will use them again!

 

Rob

0 Likes Likes

Remo
L7 Applicator
In response to RobinClayton

‎03-03-2018 12:47 AM

Hi @RobinClayton

 

As for a lot of topics without solution, the solution is the XML API.

If you really need something like that to check for used objects, you can write a script for doing exactly that:

  1. Parse the ruleset for all the objects used
  2. Lookup these objects in the configuration to get the ip address/subnet/IP range
  3. Use the information from point 2 to query the logs for each object/address one by one and exclude the drop all policy in your query

Obviously depending on the size of the ruleset and the amount of objects this script can easily run for hours, but at the end you could have your custom object usage report.

 

Or use something like Tufin, to do this job. But even if you are not familiar with scripting, doing it by yourself is probably less expensive (unless you have other things wher Tufin would help you that are also time consuming)

0 Likes Likes
  • 2753 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks