How to Identify Unused Policies on a Palo Alto Networks Device
This document describes how to identify the unused security policies on a Palo Alto Networks device.
- PAN-OS 7.1 and above.
- Palo Alto Firewall.
To view the unused rules on the Web UI:
- Navigate to Policies > Security
- Check Highlight Unused Rules at the bottom of the page
- Any rules not used since the dataplane started up will be highlighted.
- The counters for unused rules are initialized when the dataplane boots, and they are cleared anytime the dataplane restarts.
To verify if these rules have been used, look at a pre-defined report called Security Policies. This report will show the rule, bytes and the amount of sessions.
- Go to Monitor > Reports.
- On the right side of the display, select Traffic Reports > Security Rules.
- Select the day for which to run the report for.
- Click on Export to PDF (or csv / xml)
CLI commands for different PAN-OS listed below:
PAN-OS 7.1:show running rule-use vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|cp|dos> type <used|unused>
admin@PA-5050> show running rule-use vsys vsys1 rule-base security type unused rule1 intrazone-default
PAN-OS 8.1, 9.0 and 9.1:
show running rule-use highlight vsys <value> rule-base <security|nat|qos|pbf|decryption|app-override|authentication|dos|tunnel-inspect> type <used|unused>
admin@Lab-2(active)> show running rule-use highlight vsys vsys1 rule-base security type unused EWP-NETP0006530-5 intrazone-default