Best Practices for Migrating to Application-Based Policy
    : Remove Unused Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. Best Practices for Migrating to Application-Based Policy
    4. Best Practices for Migrating to Application-Based Policy
    5. Migrate to Application-Based Policy Using Policy Optimizer
    6. Rules to Begin Converting After 30 Days
    7. Remove Unused Rules
    Download PDF

    Best Practices for Migrating to Application-Based Policy

    Remove Unused Rules

    Table of Contents
    End-of-Life (EoL)

    Remove Unused Rules

    To reduce the attack surface, get rid of rules you don’t use.
    The migrated rulebase often contains rules that aren’t in use because no application traffic matches those rules. Unused rules clutter the rulebase and offer avenues of attack to adversaries. Remove these rules to clean up the rulebase and reduce the attack surface, or modify them so they apply to application traffic and serve a legitimate purpose in the rulebase.
    Unused rules may exist for a number of reasons. Rules governing services and applications that the business once used but replaced with other applications may be in the rulebase. A rule that precedes an unused rule may control the applications that would otherwise match the unused rule. In some cases, unused rules are old rules created by administrators who are no longer with the company and no current administrators know the rule’s intent.
    View rules over any Timeframe you choose (PoliciesSecurityPolicy OptimizerRule Usage). Set the Usage to Unused to filter out rules that have seen application traffic.
    1. Identify unused rules.
      In PoliciesSecurityPolicy OptimizerRule Usage, set the Timeframe to All time, set the Usage to Unused (to display only rules with a Hit Count of zero), and Exclude rules reset during the last 30 days (to prevent displaying recently reset rules that may not have seen traffic over the last few days but that may see traffic over a longer time period). The result is a list of rules that have not seen application traffic over the selected Timeframe.
    2. Evaluate rules that have seen no traffic and determine if they are needed or if you can disable them.
      In this example, the business used Tsunami file transfer in the past, but investigation shows the business no longer uses Tsunami and replaced it with other file transfer applications, so there is no reason to allow Tsunami application traffic on the network.
    3. Disable (or Delete) the rule.
      In PoliciesSecurity, select the Tsunami file transfer rule. Either Disable or Delete the rule.
      Disabling the rule is safer in case it turns out that your business needs the application, even though it hasn’t seen any traffic. (This may happen if you don’t take quarterly and annual events into account when investigating whether the business uses an application or if the application is required for a contractor or partner whose traffic only accesses the network periodically.) After a reasonable period of time, you can delete unused rules that you disabled earlier.

    © 2025 Palo Alto Networks, Inc. All rights reserved.