Why do unused rules show traffic hits?

Reply
Highlighted
L0 Member

Why do unused rules show traffic hits?

I am doing cleanup of old unused firewall rules. Using the UNUSED policy optimizer I noticed that some rules are showing Traffic usage but 0 hits? Can someone explain why this is? I am wary to trust the HIT count until I understand the correlation. Best guess is that it tracks what apps would have hit it?

 

 

PeteHalatsis_0-1595009863372.png

 

Highlighted
L3 Networker

Hi

 

The firewall analyzes the traffic for each session. Let's say you browse to facebook-chat, your session starts with port 443 and the firewall finds a matching rule with application=any and service=tcp/443. When more session-data flows we see the application as facebook-base and search again for a rule this time matching application=facbeook-base - this is called application shifting.

 

My guess is the firewall sees some traffic on your rules but the final rule allowing or denying the application gets the 'hit' count increase.

 

Hope this help,

Shai

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!