Tag Unused Rules

Reply
Highlighted
L2 Linker

Tag Unused Rules

How to tag all unused security policies. I'm faimilar with the "highlight unused" and > show running rule-use rule-base security type unused vsys vsys1 command.

 

Is there a way I can then easily tag all my rules used say older than 90 days? 

Highlighted
Cyber Elite

Re: Tag Unused Rules

Hello,

The 'Highlight Unused Rules' are rules that have not been hit since the last reboot. There is really not an easy way from the GUI to select multiple rules and add the tags you want. Unless you have a lot of them, I just do them one by one.

 

One way would be to create the tag and then export the config xml, modifyi it to add your tags then upload it back into the PAN. I'm sure there are other ways, so other can comment with other ideas.

 

Regards,

Highlighted
L2 Linker

Re: Tag Unused Rules

Unfortunately we have over 100 firewalls and probably 100s if not over 1000 unused rules. So something automated would be extremely helpful. 

Highlighted
Cyber Elite

Re: Tag Unused Rules

Ah, in this case something like Ansible or Device Framework might help? I havent used either but they look promising. I would also reach out to your SE and see what their thoughts are.

 

https://live.paloaltonetworks.com/t5/Automation-API/ct-p/automation

 

Just some thoughts! Let us know how it goes.

 

Cheers!

 

Highlighted
Cyber Elite

Re: Tag Unused Rules

@nicford,

While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices. 

Highlighted
L2 Linker

Re: Tag Unused Rules

from netmiko import ConnectHandler
import re
import time

with open('C:\\Users\\xxxxxxx\\Desktop\\test.txt') as f:
    x = []
    for line in f:
        x.append(line.strip())

def escape_ansi(line):
    ansi_escape = re.compile(r'(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]')
    return ansi_escape.sub('', line)

devicelist=""
for i in x:
    try:
       firewall = ConnectHandler(device_type='paloalto_panos_ssh', ip=i, username='xxxxxxx', password='xxxxxxx')
       print('\n>>>>>>>>> Unused Policies of' + ' ' + i + ' <<<<<<<<<<<')
       time.sleep(10)
       hostname = firewall.send_command_timing(" show system info | match hostname", delay_factor=2)
       print (hostname)
       output= firewall.send_command(" show running rule-use rule-base security type unused vsys vsys1 ")
       time.sleep(20)
       output= escape_ansi(output)
       print (output.strip())
       firewall.disconnect()
       print('\n>>>>>>>>> Logged out of Device' + ' ' + i + ' <<<<<<<<<<<')
    except:
       print ('\nUnable to login to PAN'+' '+i)
       devicelist=devicelist+ i +"\n"
print ('\nFirewalls which needs to be checked  \n' +'' +devicelist)



Here is python script to get all the unused rules, I have implemented this today in my 50 firewall setup.

 

Please reach out if any queries.

Highlighted
L2 Linker

Re: Tag Unused Rules

thanks for the script! but reviewing it (forgive me if I'm wrong), this just prints all the unused rules. My main goals would be to print the rules, then tag them. My next step would be locate this tag, disable rules. Finally, delete all disabled rules. 

Highlighted
L7 Applicator

Re: Tag Unused Rules

I believe you could do this with pan-configurator:

 - https://live.paloaltonetworks.com/t5/API-Articles/PAN-Configurator-scripting-library-and-utilities/t...

 - https://github.com/cpainchaud/pan-configurator

 

Clean unused rules even when you don't have logs over X months/years ( gets the list from cli 'show rulebase security type unused'):

 

run once : php rules-edit.php in=api://xxx actions=tag-add:Unused 'filter=(rule is.unused.fast)'

run every month: php rules-edit.php in=api://xxx actions=tag-remove:Unused 'filter=!(rule is.unused.fast) and (tag has Unused)' then after a few months, delete unused rules: php rules-edit.php in=api://xxxx actions=delete 'filter=(tag has Unused)'

 

You'd just be adding an intermediary step of disabling rules with the tag first, and then delete later.  

 

https://live.paloaltonetworks.com/t5/API-Articles/rules-edit-php-to-manage-edit-export-rules-from-CL...

 

Highlighted
L2 Linker

Re: Tag Unused Rules

Hey, yes I am working on the script to tag the sec policies, the script was basically to know the policies which needs attention on all firewalls ( in less than 15 mins).
Highlighted
Cyber Elite

Re: Tag Unused Rules


@BPry wrote:

@nicford,

While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices. 


 

Without a doubt I'll second this.  If you've got "100s" of firewalls FireMon should be a "cost of doing business." It's beyond easy to use and will make your life so much easier as a firewall admin

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!