Strata Cloud Manager
Configuration: Config Cleanup
Table of Contents
Configuration: Config Cleanup
Identify and remove unused configuration objects and policy rules.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To streamline your configuration, use the Config Cleanup feature, which
helps you to identify and remove unused configuration objects and policy rules. It
also detects objects within security policy rules that have not matched any
traffic.
By reducing configuration clutter, Config Cleanup ensures that only
essential configuration objects are retained, improving the overall efficiency and
maintainability of your security policies.
Role-based access control (RBAC) governs access to Config Cleanup
operations. Your assigned role determines the actions you can perform:
- Administrators can delete unused objects, disable or delete policy rules that have not matched any traffic, and delete objects within rules that have not seen traffic matches.
- Users may see a limited view and can perform only the actions allowed by their RBAC permissions.
Config Cleanup supports deployments managed by Strata Cloud Manager and
Panorama, including NGFW and Prisma Access configurations. At the top of the
Config Cleanup page, select Cloud Manager for Strata Cloud Manager
managed deployments or select a Panorama instance for Panorama managed deployments.
When you select a Panorama instance from the dropdown, analysis is in progress.
After analysis is complete, you can view the unused objects, zero hit objects, and
zero hit policy rules. If the analysis fails, you can create a support case to
resolve the issue or view data from the last successful analysis. An error banner
will remain visible until the issue is resolved. Additionally, the timestamp of the
last successful analysis is also displayed.
To utilize config cleanup for Panorama-managed configurations, the
following prerequisites must be met:
- Onboard your Panorama device to Strata Cloud Manager and associate it with a Tenant Service Group (TSG).
- Enable Strata Logging Service on your hardware and software firewalls. Strata Logging Service is required for all Prisma SASE deployments as well. Ensure the correct region and product usage configuration is set to provide the necessary traffic data for optimization recommendations.
- Install and enable Panorama CloudConnector Plugin 3.0.0.
- Sync the configurations with Strata Cloud Manager for the CloudConnector plugin to detect and process the updated configuration.> request plugins cloudconnector sync enableTo initiate analysis by config cleanup, commit your configuration changes in Panorama.
Unused Objects
Unused Objects exist in the configuration but are not referenced by any active configurations, such as policy rules or group objects. These objects may become orphaned when their parent objects are deleted or may have been created without ever being used. Regardless of how they were introduced, unused objects increase configuration size and can lead to longer commit times. Regularly review and delete these objects to maintain a clean and efficient configuration.![]()
Select an object or multiple objects and click Delete. Confirm that you want to proceed to delete the objects. For Panorama managed deployments, you will need to commit your changes in Panorama to delete the objects. See Preview, Validate, or Commit Configuration Changes for more information.Config Cleanup includes the Status column for Panorama managed deployments. Here are the statuses:- Pending Review
- Delete Requested
- Updated to Candidate Config
- Error
The Error status includes a tooltip showing an error message on what failed. For example, Failed to update Panorama config.You can filter policy unused objects by:- Name – Search for and select a specific configuration object by name.
- Object Type – Select the type of configuration object.
- Days Unused – Choose from predefined time ranges (30+ days, 60+ days, 90+ days) or use the customizable More than option for more granular filtering.
You can group objects by Location, which indicates the corresponding device group, or view them as a single, flat list.Zero Hit Objects
Zero Hit Objects are objects within security policy rules that have not matched any traffic. Their presence can make rules overly permissive and increase the attack surface, even if the same objects are used in other policies. Removing zero-hit objects from specific rules helps harden the policy rule and improve overall security posture. You can view a list of all rules containing zero-hit objects under Zero Hit Objects.Config cleanup calculates zero-hit objects based on traffic logs sent to Strata Logging Service. If the firewall does not send logs to Strata Logging Service or if logging is disabled for a rule, the computation may be incomplete or inaccurate.![]()
To see all objects with zero hits in a specific rule, select the rule to open its side panel. Within the side panel, you can select and delete any objects that have zero hits.![]()
For Panorama managed deployments, you need to confirm to proceed with deletion of the zero hit objects. After you confirm, the config changes are sent to update the candidate config on Panorama. For Panorama managed deployments, you will need to commit your changes in Panorama to delete the objects. See Preview, Validate, or Commit Configuration Changes for more information.Config Cleanup includes the Status column for Panorama managed deployments. Here are the statuses:- Pending Review
- Delete Requested
- Updated to Candidate Config
- Error
The Error status includes a tooltip showing an error message on what failed. For example, Failed to update Panorama config.You can filter policy rules based on:- Days with Zero Hits – Select from predefined ranges (30+ days, 60+ days, 90+ days) or use the More than option to identify objects within rules that haven't matched traffic within the specified timeframe. Use this filter to locate and remove objects that no longer meet traffic thresholds.
- You can also apply filters to additional columns, such as source zone, destination zone/address, source user, or URL category, to further refine your search for rules.
Zero Hit Policy Rules
Zero Hit Policy Rules are security policy rules that have not matched any traffic for at least one day. A rule may stop matching traffic due to modifications, the addition of new rules that take precedence, or changes in the traffic patterns. Regularly review zero-hit rules to determine whether to remove them or reposition them within the policy. This recommended practice helps maintain a clean and efficient security policy configuration. You canfilter, enable, disable, or delete zero-hit policy rules using any available column as a filter.![]()
For Panorama managed deployments, you need to confirm to proceed with enabling, disabling, or deletion of the zero hit policy rules. After you confirm, the config changes are sent to update the candidate config on Panorama. For Panorama managed deployments, you will need to commit your changes in Panorama to complete the update. See Preview, Validate, or Commit Configuration Changes for more information.Config Cleanup includes the Status column for Panorama managed deployments. Here are the statuses:- Pending review
- Delete Requested
- Enable requested
- Disable requested
- Updated to Candidate Config
- Error
The Error status includes a tooltip showing an error message on what failed. For example, Failed to update Panorama config.
