- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-14-2017 09:00 AM
I just upgraded and rebooted my firewall. When I choose to highlight unused rules it is showing rules that I can not find any traffic for in the traffic monitor as used. I thought the reboot would reset everything but I have no idea why a rule that appears to be unused is showing used - any ideas?
04-02-2017 05:22 AM
Can you confirm that the rule in question has the log action turned on in the action tab?
The unused rules function is a simple flag, as soon as the rule processes any match the flag will turn off and the rule shows as having been used since the reboot.
Logging is a choice on a per policy basis for session start, session end or both.
If logging is at session end, and the application involved keeps the session open for hours or days then there will be not log. But with your case this is not likely.
So when doing this type of testing we sometimes add log at session start to be sure to see the log as soon as possible in the logs.
so if your rule is showing used and your rule is configured to log and you see no logs this would be an possible bug to take up with a support ticket.
03-14-2017 12:20 PM
It isn't a rule required by a following rule is it. For example when traffic originally gets mated to an 'SSL' rule and only then switches over to say 'bittorrent' or something like that?
03-14-2017 12:22 PM
I am not sure what you mean by required by a following rule, I thought rules either passed the traffic or didn't
03-15-2017 06:27 AM
Some applications do not get identified right away, or an admin has reasons to split the rule up into a few different pieces instead of enabling all the required applications in one rule. In this case you could have traffic need to hit something like your 'ssl' rule before the app is identified and it switches over to say your 'skype' or 'bittorrent' rule.
03-15-2017 06:38 AM
I don't really follow that explaination, all I know is that I have rule that is set up to be used for smtp traffic and even after I rebooted the firewall it is showing as used but not showing any traffic passing through it on the traffic monitor even now
04-02-2017 05:22 AM
Can you confirm that the rule in question has the log action turned on in the action tab?
The unused rules function is a simple flag, as soon as the rule processes any match the flag will turn off and the rule shows as having been used since the reboot.
Logging is a choice on a per policy basis for session start, session end or both.
If logging is at session end, and the application involved keeps the session open for hours or days then there will be not log. But with your case this is not likely.
So when doing this type of testing we sometimes add log at session start to be sure to see the log as soon as possible in the logs.
so if your rule is showing used and your rule is configured to log and you see no logs this would be an possible bug to take up with a support ticket.
04-03-2017 06:06 AM
Yes it is set to log at session end and it also has a security profile attached to it. I have rebooted the firewall it show unused before the reboot and unused after the reboot. I tried changing the names a couple times and I have scoured the logs for any evidence of use.
04-03-2017 06:10 AM
My rule is showing unused and has shown unused for several months even after a reboot. I guess it is possible that it really is unused I just want confirmation before disabling it
04-03-2017 07:03 AM
depending on how specific (or generic) your rule is, have you tried the test security-policy-match command to see which rule your traffic expected based on the policy is actually hitting? it may be shadowed, tho it should report that as a warning when committing.
04-03-2017 07:15 AM
So I would run this on the command line test security-policy-match name of policy?
04-03-2017 07:47 AM
well appears I looked at the rule when I was checking for log at session end, but I did find the rule that was showing used but nothing in the log to have that issues 😛 Thanks LOL
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!