How to Identify Unused Policies on a Palo Alto Networks Device
97108
Created On 09/25/18 19:21 PM - Last Modified 03/31/20 02:37 AM
Symptom
This document describes how to identify the unused security policies on a Palo Alto Networks device.
Environment
- PAN-OS 7.1 and above.
- Palo Alto Firewall.
Resolution
To view the unused rules on the Web UI:
- Navigate to Policies > Security
- Check Highlight Unused Rules at the bottom of the page
- Any rules not used since the dataplane started up will be highlighted.
- The counters for unused rules are initialized when the dataplane boots, and they are cleared anytime the dataplane restarts.
To verify if these rules have been used, look at a pre-defined report called Security Policies. This report will show the rule, bytes and the amount of sessions.
- Go to Monitor > Reports.
- On the right side of the display, select Traffic Reports > Security Rules.
- Select the day for which to run the report for.
- Click on Export to PDF (or csv / xml)
CLI commands for different PAN-OS listed below:
PAN-OS 7.1:show running rule-use vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|cp|dos> type <used|unused>
Example:
admin@PA-5050> show running rule-use vsys vsys1 rule-base security type unused
rule1
intrazone-default
PAN-OS 8.1, 9.0 and 9.1:
show running rule-use highlight vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|authentication|dos|tunnel-inspect> type <used|unused>
Example:
admin@Lab-2(active)> show running rule-use highlight vsys vsys1 rule-base security type unused
EWP-NETP0006530-5
intrazone-default