04-22-2020 02:27 PM
Hello,
Has anyone seen the following issue?
Panorama manages a security policy for a remote PA, if you try clear the app seen counter on the remote PA using this KB https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/security-policy-rule-optimization/p... you get a server error: fail to clear usage data error.
If I clear the apps seen usage on the Panorama cli for the rule in question, I see the value back to 0, but on the remote PA it still shows the old usage count. Any reason why?
04-30-2020 04:03 AM
The reset only happens on the panorama locally, ifnyounwant to reset the firewall also, you need to clear the counters there also
06-01-2020 09:46 PM
Where do i go to clear the counters on the FW, specific to apps seen?
06-02-2020 08:16 AM
for local rules you can clear app's seen using this link
for rules manage by panorama, you will need to clear them on on Panorama, but It does not appear to sync to the remote firewall.
06-02-2020 02:21 PM
If you have a large number of rules, and want to save a lot of time over copying them individually in the GUI, it can be useful to export the list of rules from Panorma as a CSV and include the rule UUID column. You can then use a text editor like Notepad++ to prepend clear policy-app-usage-data ruleuuid to each entry, and paste the whole thing into your firewall's CLI. You'll want to run this command before pasting:
set cli scripting-mode on
06-04-2020 09:01 PM
Thanks, that is what the OP tried. It only works when using Panorama. I want to clear the counter for apps seen on the local FW. Reaper's reply was to clear counters, that is what I'm looking for. You would think the command should work on the local FW, but it doesn't. 😕
admin@palo220> clear policy-app-usage-data ruleuuid 66d7cf61-465c-4b47-bcc4-19b302919827
Server error : Failed to clear usage data
admin@palo220>
06-05-2020 08:08 AM
Same issue I ran into, if the policies are push from panorama to the firewall, you can't clear the Apps seen counter on the PA. Not sure if this is a bug or by design, If you convert the policy to a local rule on the firewall you can run the command just fine.
06-05-2020 08:44 AM
In my experience, policy optimizer is incredibly buggy, and the data isn't completely trustworthy. This seems to be one of those bugs. I was looking back on some internal notes from when I ran into this a few months ago. I found something else that makes this even more odd. When you run the clear policy-app-usage-data ruleuuid command in the firewall CLI, you get the error message, and the total apps displayed in the Apps Seen column doesn't change. However, the detailed list of apps does seem to get flushed. It's deceiving, but if you're trying to see which apps have hit the rule since it was last cleared, it still might be somewhat useful. It's frustrating though.
Before:
After:
06-05-2020 09:02 AM
I don't have a Panorama in my environment. This is a standalone 220 in my lab. 🙂
06-05-2020 09:03 AM
Thanks OwenFuller, you are correct. This does help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
