Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Tag Unused Rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Tag Unused Rules

L2 Linker

How to tag all unused security policies. I'm faimilar with the "highlight unused" and > show running rule-use rule-base security type unused vsys vsys1 command.

 

Is there a way I can then easily tag all my rules used say older than 90 days? 

10 REPLIES 10

Cyber Elite
Cyber Elite

Hello,

The 'Highlight Unused Rules' are rules that have not been hit since the last reboot. There is really not an easy way from the GUI to select multiple rules and add the tags you want. Unless you have a lot of them, I just do them one by one.

 

One way would be to create the tag and then export the config xml, modifyi it to add your tags then upload it back into the PAN. I'm sure there are other ways, so other can comment with other ideas.

 

Regards,

Unfortunately we have over 100 firewalls and probably 100s if not over 1000 unused rules. So something automated would be extremely helpful. 

Ah, in this case something like Ansible or Device Framework might help? I havent used either but they look promising. I would also reach out to your SE and see what their thoughts are.

 

https://live.paloaltonetworks.com/t5/Automation-API/ct-p/automation

 

Just some thoughts! Let us know how it goes.

 

Cheers!

 

@nicford,

While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices. 

from netmiko import ConnectHandler
import re
import time

with open('C:\\Users\\xxxxxxx\\Desktop\\test.txt') as f:
    x = []
    for line in f:
        x.append(line.strip())

def escape_ansi(line):
    ansi_escape = re.compile(r'(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]')
    return ansi_escape.sub('', line)

devicelist=""
for i in x:
    try:
       firewall = ConnectHandler(device_type='paloalto_panos_ssh', ip=i, username='xxxxxxx', password='xxxxxxx')
       print('\n>>>>>>>>> Unused Policies of' + ' ' + i + ' <<<<<<<<<<<')
       time.sleep(10)
       hostname = firewall.send_command_timing(" show system info | match hostname", delay_factor=2)
       print (hostname)
       output= firewall.send_command(" show running rule-use rule-base security type unused vsys vsys1 ")
       time.sleep(20)
       output= escape_ansi(output)
       print (output.strip())
       firewall.disconnect()
       print('\n>>>>>>>>> Logged out of Device' + ' ' + i + ' <<<<<<<<<<<')
    except:
       print ('\nUnable to login to PAN'+' '+i)
       devicelist=devicelist+ i +"\n"
print ('\nFirewalls which needs to be checked  \n' +'' +devicelist)



Here is python script to get all the unused rules, I have implemented this today in my 50 firewall setup.

 

Please reach out if any queries.

thanks for the script! but reviewing it (forgive me if I'm wrong), this just prints all the unused rules. My main goals would be to print the rules, then tag them. My next step would be locate this tag, disable rules. Finally, delete all disabled rules. 

I believe you could do this with pan-configurator:

 - https://live.paloaltonetworks.com/t5/API-Articles/PAN-Configurator-scripting-library-and-utilities/t...

 - https://github.com/cpainchaud/pan-configurator

 

Clean unused rules even when you don't have logs over X months/years ( gets the list from cli 'show rulebase security type unused'):

 

run once : php rules-edit.php in=api://xxx actions=tag-add:Unused 'filter=(rule is.unused.fast)'

run every month: php rules-edit.php in=api://xxx actions=tag-remove:Unused 'filter=!(rule is.unused.fast) and (tag has Unused)' then after a few months, delete unused rules: php rules-edit.php in=api://xxxx actions=delete 'filter=(tag has Unused)'

 

You'd just be adding an intermediary step of disabling rules with the tag first, and then delete later.  

 

https://live.paloaltonetworks.com/t5/API-Articles/rules-edit-php-to-manage-edit-export-rules-from-CL...

 

Hey, yes I am working on the script to tag the sec policies, the script was basically to know the policies which needs attention on all firewalls ( in less than 15 mins).


@BPry wrote:

@nicford,

While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices. 


 

Without a doubt I'll second this.  If you've got "100s" of firewalls FireMon should be a "cost of doing business." It's beyond easy to use and will make your life so much easier as a firewall admin

thanks for everyone feedback! I'll defintiely look into Firemon and also some scripts some of you have shared. 

  • 7243 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!