Impossible? List unused Addres Objects?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Impossible? List unused Addres Objects?

L4 Transporter

I assume there is no report to list address objects that have not been used

 

Ones that may or may not be in rules, relate to long dead or incorrectly entered endpoints, that have not generated any traffic.

 

I have seen the "Shared_dup_and_unused... script, but don't think that gives me the desired result.

 

Unless someone has something already, I think it's a new script to parse the traffic logs.

 

Cheers

 

Rob

 

 

 

4 REPLIES 4

L7 Applicator

Correct, no current feature.  Do contact your sales engineer and vote for FR 3159.

PAN maintains an internal database of customer "Feature Requests" and each is assigned an ID number.

Companies can add the "vote" for specific requests via your sales engineer.

 

Highlight Unused Objects

FR  3159

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L2 Linker

You can use the PANW Migration Tool;

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/MigrationTool-3-3-Info-and-Guide/ta-p/7...

 

Load a runnign config of your firewall(s) into that, and it has a section down the bottom of the 'Objects' tab to show/remove unused address objects

It's a while sice I have used the PAN migration tool, but I don't think it will do what I want.

 

The need is to find objects that may or may not be in a rule (not just ones that are not used in any rule) which have had no traffic logged from them.

 

 

 

As for logging it with our sales, I doubt they would ever pass it on and I doubt we will use them again!

 

Rob

Hi @RobinClayton

 

As for a lot of topics without solution, the solution is the XML API.

If you really need something like that to check for used objects, you can write a script for doing exactly that:

  1. Parse the ruleset for all the objects used
  2. Lookup these objects in the configuration to get the ip address/subnet/IP range
  3. Use the information from point 2 to query the logs for each object/address one by one and exclude the drop all policy in your query

Obviously depending on the size of the ruleset and the amount of objects this script can easily run for hours, but at the end you could have your custom object usage report.

 

Or use something like Tufin, to do this job. But even if you are not familiar with scripting, doing it by yourself is probably less expensive (unless you have other things wher Tufin would help you that are also time consuming)

  • 2788 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!