01-03-2018 11:26 AM - edited 01-03-2018 11:26 AM
How to tag all unused security policies. I'm faimilar with the "highlight unused" and > show running rule-use rule-base security type unused vsys vsys1 command.
Is there a way I can then easily tag all my rules used say older than 90 days?
01-03-2018 11:34 AM
Hello,
The 'Highlight Unused Rules' are rules that have not been hit since the last reboot. There is really not an easy way from the GUI to select multiple rules and add the tags you want. Unless you have a lot of them, I just do them one by one.
One way would be to create the tag and then export the config xml, modifyi it to add your tags then upload it back into the PAN. I'm sure there are other ways, so other can comment with other ideas.
Regards,
01-03-2018 11:42 AM
Unfortunately we have over 100 firewalls and probably 100s if not over 1000 unused rules. So something automated would be extremely helpful.
01-03-2018 12:01 PM
Ah, in this case something like Ansible or Device Framework might help? I havent used either but they look promising. I would also reach out to your SE and see what their thoughts are.
https://live.paloaltonetworks.com/t5/Automation-API/ct-p/automation
Just some thoughts! Let us know how it goes.
Cheers!
01-03-2018 02:12 PM
While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices.
01-05-2018 07:49 AM
from netmiko import ConnectHandler
import re
import time
with open('C:\\Users\\xxxxxxx\\Desktop\\test.txt') as f:
x = []
for line in f:
x.append(line.strip())
def escape_ansi(line):
ansi_escape = re.compile(r'(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]')
return ansi_escape.sub('', line)
devicelist=""
for i in x:
try:
firewall = ConnectHandler(device_type='paloalto_panos_ssh', ip=i, username='xxxxxxx', password='xxxxxxx')
print('\n>>>>>>>>> Unused Policies of' + ' ' + i + ' <<<<<<<<<<<')
time.sleep(10)
hostname = firewall.send_command_timing(" show system info | match hostname", delay_factor=2)
print (hostname)
output= firewall.send_command(" show running rule-use rule-base security type unused vsys vsys1 ")
time.sleep(20)
output= escape_ansi(output)
print (output.strip())
firewall.disconnect()
print('\n>>>>>>>>> Logged out of Device' + ' ' + i + ' <<<<<<<<<<<')
except:
print ('\nUnable to login to PAN'+' '+i)
devicelist=devicelist+ i +"\n"
print ('\nFirewalls which needs to be checked \n' +'' +devicelist)
Here is python script to get all the unused rules, I have implemented this today in my 50 firewall setup.
Please reach out if any queries.
01-05-2018 03:36 PM
thanks for the script! but reviewing it (forgive me if I'm wrong), this just prints all the unused rules. My main goals would be to print the rules, then tag them. My next step would be locate this tag, disable rules. Finally, delete all disabled rules.
01-05-2018 04:16 PM
I believe you could do this with pan-configurator:
- https://github.com/cpainchaud/pan-configurator
Clean unused rules even when you don't have logs over X months/years ( gets the list from cli 'show rulebase security type unused'):
run once : php rules-edit.php in=api://xxx actions=tag-add:Unused 'filter=(rule is.unused.fast)'
run every month: php rules-edit.php in=api://xxx actions=tag-remove:Unused 'filter=!(rule is.unused.fast) and (tag has Unused)' then after a few months, delete unused rules: php rules-edit.php in=api://xxxx actions=delete 'filter=(tag has Unused)'
You'd just be adding an intermediary step of disabling rules with the tag first, and then delete later.
01-05-2018 05:54 PM
01-08-2018 10:35 AM
@BPry wrote:While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices.
Without a doubt I'll second this. If you've got "100s" of firewalls FireMon should be a "cost of doing business." It's beyond easy to use and will make your life so much easier as a firewall admin
01-11-2018 08:21 AM
thanks for everyone feedback! I'll defintiely look into Firemon and also some scripts some of you have shared.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
