How to Identify Unused Policies on a Palo Alto Networks Device

How to Identify Unused Policies on a Palo Alto Networks Device

48015
Created On 09/25/18 19:21 PM - Last Updated 03/31/20 02:37 AM


Symptom

This document describes how to identify the unused security policies on a Palo Alto Networks device.



Environment
  • PAN-OS 7.1 and above.
  • Palo Alto Firewall.


Resolution

To view the unused rules on the Web UI:

  1. Navigate to Policies > Security
  2. Check Highlight Unused Rules at the bottom of the page
Highlight Unused Rules
 
  • Any rules not used since the dataplane started up will be highlighted.
  • The counters for unused rules are initialized when the dataplane boots, and they are cleared anytime the dataplane restarts.

 

To verify if these rules have been used, look at a pre-defined report called Security Policies. This report will show the rule, bytes and the amount of sessions.

  1. Go to Monitor > Reports.
  2. On the right side of the display, select Traffic Reports > Security Rules.
  3. Select the day for which to run the report for.
  4. Click on Export to PDF (or csv / xml)
Reports
 

 

CLI commands for different PAN-OS listed below:

PAN-OS 7.1:show running rule-use vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|cp|dos> type <used|unused>
Example:

admin@PA-5050> show running rule-use vsys vsys1 rule-base security type unused

rule1
intrazone-default
 

PAN-OS 8.1, 9.0 and 9.1:
show running rule-use highlight vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|authentication|dos|tunnel-inspect> type <used|unused>

Example:

admin@Lab-2(active)> show running rule-use highlight vsys vsys1 rule-base security type unused

EWP-NETP0006530-5
intrazone-default
 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWRCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language