Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Unused rules showing used

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unused rules showing used

L4 Transporter

I just upgraded and rebooted my firewall. When I choose to highlight unused rules it is showing rules that I can not find any traffic for in the traffic monitor as used. I thought the reboot would reset everything but I have no idea why a rule that appears to be unused is showing used - any ideas?

1 accepted solution

Accepted Solutions

Can you confirm that the rule in question has the log action turned on in the action tab?

 

The unused rules function is a simple flag, as soon as the rule processes any match the flag will turn off and the rule shows as having been used since the reboot.

 

Logging is a choice on a per policy basis for session start, session end or both.

If logging is at session end, and the application involved keeps the session open for hours or days then there will be not log.  But with your case this is not likely.

So when doing this type of testing we sometimes add log at session start to be sure to see the log as soon as possible in the logs.

 

so if your rule is showing used and your rule is configured to log and you see no logs this would be an possible bug to take up with a support ticket.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

10 REPLIES 10

Cyber Elite
Cyber Elite

It isn't a rule required by a following rule is it. For example when traffic originally gets mated to an 'SSL' rule and only then switches over to say 'bittorrent' or something like that? 

I am not sure what you mean by required by a following rule, I thought rules either passed the traffic or didn't

Some applications do not get identified right away, or an admin has reasons to split the rule up into a few different pieces instead of enabling all the required applications in one rule. In this case you could have traffic need to hit something like your 'ssl' rule before the app is identified and it switches over to say your 'skype' or 'bittorrent' rule. 

I don't really follow that explaination, all I know is that I have rule that is set up to be used for smtp traffic and even after I rebooted the firewall it is showing as used but not showing any traffic passing through it on the traffic monitor even now

Can you confirm that the rule in question has the log action turned on in the action tab?

 

The unused rules function is a simple flag, as soon as the rule processes any match the flag will turn off and the rule shows as having been used since the reboot.

 

Logging is a choice on a per policy basis for session start, session end or both.

If logging is at session end, and the application involved keeps the session open for hours or days then there will be not log.  But with your case this is not likely.

So when doing this type of testing we sometimes add log at session start to be sure to see the log as soon as possible in the logs.

 

so if your rule is showing used and your rule is configured to log and you see no logs this would be an possible bug to take up with a support ticket.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Yes it is set to log at session end and it also has a security profile attached to it. I have rebooted the firewall it show unused before the reboot and unused after the reboot. I tried changing the names a couple times and I have scoured the logs for any evidence of use. 

My rule is showing unused and has shown unused for several months even after a reboot.  I guess it is possible that it really is unused I just want confirmation before disabling it

depending on how specific (or generic) your rule is, have you tried the test security-policy-match command to see which rule your traffic expected based on the policy is actually hitting? it may be shadowed, tho it should report that as a warning when committing.

--
CCNA Security, PCNSE7

So I would run this on the command line test security-policy-match name of policy?

well appears I looked at the rule when I was checking for log at session end, but I did find the rule that was showing used but nothing in the log to have that issues 😛 Thanks LOL 

  • 1 accepted solution
  • 4530 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!