Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-12-2016 05:49 AM
Is it possible for a rule to show unused and be passing traffic? I disabled an unused rule and it seemed to affect traffic. I usually check it and it now show in the traffice monitor and it highlighted as unused. I also rebooted the firewall about a month ago.
04-12-2016 05:56 AM
No unused rules are rules that have not matched since reboot of the firewall.
To be more specific from reboot of the dataplane.
If something is blocked then you see in traffic log what rule it matched against to figure out what rule blocked traffic.
04-12-2016 07:48 AM
I don't see anything in the traffic monitor for the rule I disabled, I was wondering if there is anywhere else to double check
04-12-2016 12:31 PM
How can a ruled show used and not be in the traffic monitor?
04-12-2016 01:03 PM
Question:
You can have used rules that do not log, and will never show up in the Traffic Monitor logs. Please ensure that this is not the case first.
Next, you can use a filter like "( rule eq 'rulename' )" without the quotes to search for traffic just for that rule name. OR it can work in reverse if you want to show ALL but a certain rule name with "( rule neq 'rulename' )" where "neq" is NOT equal to.
You can also go into "Monitor > Manage Custom reports and then create a new report, use the traffic summary, and then use the same filter as above in the Query Builder area.
I hope either of these help.
04-12-2016 01:08 PM
Good suggestions but I already checked to make sure it was set to log - specifically log at sessions end. I have used this filter rule eq rulename and neq filter and it found nothing.
04-12-2016 01:27 PM
I also tried the custom report and tried several different time frames and found nothing for the used rule that is shadowed by another and looks is showing as used but there is no evidence of it being used or having been used
04-12-2016 08:44 PM
From cli command below will show you what is your current retention period for traffic log (how many days worth of log fits into the traffic log database).
show system logdb-quota
With "show system info" you can see uptime of your firewall.
If uptime is longer then retention period then some logs might be overwritten already and that can be reason why rule is used but you don't see it in the log.
04-13-2016 05:48 AM
Thanks I will take a look at that, so that would be why an unused rule would be showing as used but have no instances in the traffic monitor
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
