Identify and remove unused configuration objects and policy rules.
| Where Can I Use
This? | What Do I Need? |
|---|
|
| → The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are
using. |
To streamline your configuration, use the Config Cleanup feature, which
helps you to identify and remove unused configuration objects and policy rules. It
also detects objects within security policy rules that have not matched any
traffic.
By reducing configuration clutter, Config Cleanup ensures that only
essential configuration objects are retained, improving the overall efficiency and
maintainability of your security policies.
Role-based access control (RBAC) governs access to Config Cleanup
operations. Your assigned role determines the actions you can perform:
Administrators can delete unused objects, disable or delete policy
rules that have not matched any traffic, and delete objects within rules
that have not seen traffic matches.
Users may see a limited view and can perform only the actions
allowed by their RBAC permissions.
Config Cleanup supports deployments managed by Strata Cloud Manager and
Panorama, including NGFW and Prisma Access configurations. At the top of the
Config Cleanup page, select Cloud Manager for Strata Cloud Manager
managed deployments or select a Panorama instance for Panorama managed deployments.
When you select a Panorama instance from the dropdown, analysis is in progress.
After analysis is complete, you can view the unused objects, zero hit objects, and
zero hit policy rules. If the analysis fails, you can create a support case to
resolve the issue or view data from the last successful analysis. An error banner
will remain visible until the issue is resolved. Additionally, the timestamp of the
last successful analysis is also displayed.
To utilize config cleanup for Panorama-managed configurations, the
following prerequisites must be met:
Onboard your Panorama device to Strata Cloud Manager and associate
it with a Tenant Service Group (TSG).
Enable Strata Logging Service on your hardware and software
firewalls. Strata Logging Service is required for all Prisma SASE
deployments as well. Ensure the correct region and product usage
configuration is set to provide the necessary traffic data for optimization
recommendations.
Sync the configurations with Strata Cloud Manager for the
CloudConnector plugin to detect and process the updated configuration.
> request plugins cloudconnector sync enable
To initiate analysis by config cleanup, commit your configuration
changes in Panorama.
Unused Objects
Unused Objects exist in the configuration but are not referenced
by any active configurations, such as policy rules or group objects. These
objects may become orphaned when their parent objects are deleted or may have
been created without ever being used. Regardless of how they were introduced,
unused objects increase configuration size and can lead to longer commit times.
Regularly review and delete these objects to maintain a clean and efficient
configuration.
Select an object or multiple objects and click
Delete. Confirm that you
want to proceed to delete the objects. For Panorama managed deployments, you
will need to commit your changes in Panorama to delete the objects. See
Preview, Validate, or Commit
Configuration Changes for more information.
Config Cleanup includes the Status column for Panorama managed deployments. Here
are the statuses:
- Pending Review
- Delete Requested
- Updated to Candidate Config
- Error
The Error status includes a tooltip showing an error message on what failed. For
example, Failed to update Panorama config.
You can filter policy unused objects by:
- Name – Search for and select a specific configuration object by
name.
- Object Type – Select the type of configuration object.
- Days Unused – Choose from predefined time ranges (30+ days, 60+ days,
90+ days) or use the customizable More than option for more granular
filtering.
You can group objects by Location, which indicates the corresponding
device group, or view them as a single, flat list.
Zero Hit Objects
Zero Hit Objects are objects within security policy rules that have not
matched any traffic. Their presence can make rules overly permissive and
increase the attack surface, even if the same objects are used in other
policies. Removing zero-hit objects from specific rules helps harden the policy
rule and improve overall security posture. You can view a list of all rules
containing zero-hit objects under Zero Hit Objects.
Config cleanup calculates zero-hit objects based on traffic logs sent to
Strata Logging Service. If the firewall does not send logs to Strata Logging
Service or if logging is disabled for a rule, the computation may be
incomplete or inaccurate.
To see all objects with zero hits in a specific rule, select the rule to open its
side panel. Within the side panel, you can select and delete any objects that
have zero hits.
For Panorama managed deployments, you need to confirm to proceed with deletion of
the zero hit objects. After you confirm, the config changes are sent to update
the candidate config on Panorama. For Panorama managed deployments, you will
need to commit your changes in Panorama to delete the objects. See
Preview, Validate, or Commit Configuration
Changes for more information.
Config Cleanup includes the Status column for Panorama managed deployments. Here
are the statuses:
- Pending Review
- Delete Requested
- Updated to Candidate Config
- Error
The Error status includes a tooltip showing an error message on what failed. For
example, Failed to update Panorama config.
You can filter policy rules based on:
- Days with Zero Hits – Select from predefined ranges (30+ days, 60+
days, 90+ days) or use the More than option to identify objects
within rules that haven't matched traffic within the specified timeframe.
Use this filter to locate and remove objects that no longer meet traffic
thresholds.
- You can also apply filters to additional columns, such as source
zone, destination zone/address, source user, or URL
category, to further refine your search for rules.
Zero Hit Policy Rules
Zero Hit Policy Rules are security policy rules that have
not matched any traffic for at least one day. A rule may stop matching traffic
due to modifications, the addition of new rules that take precedence, or changes
in the traffic patterns. Regularly review zero-hit rules to determine whether to
remove them or reposition them within the policy. This recommended practice
helps maintain a clean and efficient security policy configuration. You
canfilter, enable, disable, or delete zero-hit policy rules using any available
column as a filter.
For Panorama managed deployments, you need to confirm to proceed with enabling,
disabling, or deletion of the zero hit policy rules. After you confirm, the
config changes are sent to update the candidate config on Panorama. For Panorama
managed deployments, you will need to commit your changes in Panorama to
complete the update. See
Preview, Validate, or Commit
Configuration Changes for more information.
Config Cleanup includes the Status column for Panorama managed deployments. Here
are the statuses:
- Pending review
- Delete Requested
- Enable requested
- Disable requested
- Updated to Candidate Config
- Error
The Error status includes a tooltip showing an error message on what failed. For
example, Failed to update Panorama config.
