How to Identify Unused Policies on a Palo Alto Networks Device
This document describes how to identify the unused security policies on a Palo Alto Networks device.
On the Web UI
To view unused rules:
- Navigate to Policies > Security
- Check Highlight Unused Rules at the bottom of the page
- Any rules not used since the dataplane started up will be highlighted.
- The counters for unused rules are initialized when the dataplane boots, and they are cleared anytime the dataplane restarts.
To verify if these rules have been used, look at a pre-defined report called Security Policies. This report will show the rule, bytes and the amount of sessions.
- Go to Monitor > Reports.
- On the right side of the display, select Traffic Reports > Security Rules.
- Select the day for which to run the report for.
On the CLI
Run the following command to show the unused security rules on vsys1:
> show running rule-use rule-base security type unused vsys vsys1
Other types of unused policies (such as NAT, decryption, app-override, PBF, QOS, and Captive Portal) can also be checked by specifying the appropriate option:
> show running rule-use rule-base <option> type unused vsys vsys1
where <option> is one of the following:
app-override application override policy
cp captive portal policy
decryption ssl decryption policy
dos dos protection policy
nat nat policy
pbf policy based forwarding policy
qos qos policy
security security policy
As with the the unused rules displayed on the web UI, the output on the CLI is dependent on:
- Dataplane restart - The rules not used since the dataplane started up will be displayed.