Viewing Unused Address Objects

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Viewing Unused Address Objects

Hello fellow engineers!

 

I'm in the process of a firewall audit in my environment and I've got a lot of address objects configured. I'd like to trim the list down and get rid of addresses that are no longer valid (as in haven't been used in over a year). Is something like this possible? 

 

I saw this link about a Perl Script, but it doesn't seem promising.

 

Are there any other methods where I could get an accurate view of object usage?

 

If this has been addressed in a previous thread, please direct me there. I couldn't find anything in my initial search.

 

Thanks.

 

—E

Highlighted
L3 Networker

PanOS 7.0 Global Find helps a little https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/management-features/global... I'm guessing you have too many to do that manually. The Firewall Migration Tool has some clean-up functionality https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool I haven't tried yet whether it can also detect junk in a PA policy.
Highlighted
Cyber Elite

You can always simply attempt to delete the objects in question. If they are in use the PA will generate an alerts about it being utilized, and tell you where exactly the object is being used. When I do an object cleanup I usually just delete everything that isn't actively being used, way easier to have to create a few address objects when they are needed again then spending the time to verify they won't be needed going forward.
Highlighted
L1 Bithead

The Migration Tool could be helpful. (I'm not sure if you've used it for migrations before, but it needs a bit of work to be useful). I'll look into that as an option. 

Highlighted
L1 Bithead

There are two types of objects that I want to clean up - objects that are not in a policy and objects that are in a policy and are not being utilized over a certain amount of time.

 

It's tough to gather this data from the Palos because the address objects only exists as objects in the Objects tab. Once they're a part of a session the Palo can't record them as individual objects, but as just a part of a session.

 

I'm reaching total object limitations and looking to sift through the data to remove as much as possible that's no longer being used.

 

Thanks for all of the suggestions. I appreciate. it.

 

—E

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!