This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

NAT Rules Log / Highlight Unused Rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT Rules Log / Highlight Unused Rules

SOC_CSG
L4 Transporter

‎02-23-2015 11:11 AM

Hi,

I'm doing maintenance and have doubts about a NAT rule.

I have enabled the "Highlight Unused Rules" and this rule seems to be that using currently. But we believe that this is not in use.

How can I see the activity related to a policy NAT?

How can I see that affects this rule?

How can I check the activity NAT using CLI?

Thanks and regards,

6 REPLIES 6

bat
L5 Sessionator

‎02-23-2015 01:31 PM

Hi CoS

You can check the sessions from CLI using the below command:

show session all filter nat-rule <rule-name>

To see what NAT rules are matched for a specific traffic you can also use the test command:

test nat-policy-match <criteria>

HULK
L7 Applicator

‎02-23-2015 02:19 PM

Hello Cos,

It looks the "Highlight unused rule" option is working for Security Policy but not for the NAT policy on my PAN firewall. So, the CLI command mentioned by bat would the right way to determine it.

Thanks

HULK
L7 Applicator

‎02-23-2015 02:28 PM

Hello COS,

Please find below the observed behavior:

I have added new NAT rules. Before commit, if iclick into the "Highlight unused rule", The feature works as expected. However, once commit is done in the PA, it is not highlighted.

There is a BUG open for this:

Bug 65553 - After commit, Highlight Unused Rules does not wroks for NAT rules

Resolved in:PAN OS 6.1.2

Hope this helps.

Thanks

pulukas
L7 Applicator
In response to HULK

‎02-23-2015 04:31 PM

Thanks for letting us know the bug id and resolution version.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

RajeshB
L0 Member

‎02-24-2015 05:54 AM

Hello COS,

If the rule is been used atleast once, we cannot reset the counter unless a restart is done.

We can however change the name of the existing NAT/Policy rule ( "X" to "X-1"), This will again wait for a new packet to hit the rule, so that the "highlight unused" feature will work.

If it is a Rule constantly getting used(example Dynamic ISP NAT), it will be very hard to use the highlight unused feature.

oklier
L3 Networker

‎02-24-2015 03:13 PM

Also keep in mind that it will only highlight unused rules since the last reboot. But it sounds like the bug maybe causing it.

  • 6704 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks