How to Identify Unused Policies on a Palo Alto Networks Device

Overview

This document describes how to identify the unused security policies on a Palo Alto Networks device.

Details

On the Web UI

To view unused rules:

1. Navigate to Policies > Security
2. Check Highlight Unused Rules at the bottom of the page
   

• Any rules not used since the dataplane started up will be highlighted.
• The counters for unused rules are initialized when the dataplane boots, and they are cleared anytime the dataplane restarts.

To verify if these rules have been used, look at a pre-defined report called Security Policies. This report will show the rule, bytes and the amount of sessions.

1. Go to Monitor > Reports.
2. On the right side of the display, select Traffic Reports > Security Rules.
3. Select the day for which to run the report for.
   

On the CLI

Run the following command to show the unused security rules on vsys1:

> show running rule-use rule-base security type unused vsys vsys1

Other types of unused policies (such as NAT, decryption, app-override, PBF, QOS, and Captive Portal) can also be checked by specifying the appropriate option:

> show running rule-use rule-base <option> type unused vsys vsys1

where <option> is one of the following:

  app-override   application override policy

  cp             captive portal policy

  decryption     ssl decryption policy

  dos            dos protection policy

  nat            nat policy

  pbf            policy based forwarding policy

  qos            qos policy

  security       security policy

As with the the unused rules displayed on the web UI, the output on the CLI is dependent on:

• Dataplane restart - The rules not used since the dataplane started up will be displayed.

owner: nayubi