Viewing Unused Address Objects

cancel
Showing results for 
Search instead for 
Did you mean: 

Viewing Unused Address Objects

L1 Bithead

Hello fellow engineers!

 

I'm in the process of a firewall audit in my environment and I've got a lot of address objects configured. I'd like to trim the list down and get rid of addresses that are no longer valid (as in haven't been used in over a year). Is something like this possible? 

 

I saw this link about a Perl Script, but it doesn't seem promising.

 

Are there any other methods where I could get an accurate view of object usage?

 

If this has been addressed in a previous thread, please direct me there. I couldn't find anything in my initial search.

 

Thanks.

 

—E

5 REPLIES 5

L3 Networker
PanOS 7.0 Global Find helps a little https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/management-features/global... I'm guessing you have too many to do that manually. The Firewall Migration Tool has some clean-up functionality https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool I haven't tried yet whether it can also detect junk in a PA policy.

Cyber Elite
Cyber Elite
You can always simply attempt to delete the objects in question. If they are in use the PA will generate an alerts about it being utilized, and tell you where exactly the object is being used. When I do an object cleanup I usually just delete everything that isn't actively being used, way easier to have to create a few address objects when they are needed again then spending the time to verify they won't be needed going forward.

The Migration Tool could be helpful. (I'm not sure if you've used it for migrations before, but it needs a bit of work to be useful). I'll look into that as an option. 

There are two types of objects that I want to clean up - objects that are not in a policy and objects that are in a policy and are not being utilized over a certain amount of time.

 

It's tough to gather this data from the Palos because the address objects only exists as objects in the Objects tab. Once they're a part of a session the Palo can't record them as individual objects, but as just a part of a session.

 

I'm reaching total object limitations and looking to sift through the data to remove as much as possible that's no longer being used.

 

Thanks for all of the suggestions. I appreciate. it.

 

—E

Did you find the solution ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!