- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-15-2018 04:57 PM
Let us say you have a firewall pair configured and rules configured and one day you fail them over - or they fail over. The primary is rebooted. When the primary comes back up all sessions are transferred back and everything is fine. Except, as I understand it, the only time rule counters are reset is after a reboot (or the backplane is restarted). So if those sessions are never again dropped, and thus never hit the rule allowing them again, that rule may appear as unused.
Is this correct and, if so, is there a way to resovle it for a rule-base review - to know which rules are really not being used and avoid disabling "unused rules" that are really just maintaining their sessions between failovers?
03-16-2018 09:09 AM
What you really want is a new feature in PAN-OS 8.1, but I wouldn't recommend installing it quite yet.
03-16-2018 09:12 AM
03-16-2018 09:17 AM
Hello @Knobdy,
You are indeed correct. Once a PAN reboots, the counters are reset to 0 regardless of current sessions on the other HA unit. I agree with @mlinsemier, wait on 8.1 for a while till they work out some bugs.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!