Strata Cloud Manager
Manage: Config Cleanup
Table of Contents
Manage: Config Cleanup
Identify and remove unused configuration objects and policy rules.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To streamline your configuration, use the Config Cleanup feature, which
helps you to identify and remove unused configuration objects and policy rules. It
also detects objects within security policy rules that have not matched any
traffic.
By reducing configuration clutter, Config Cleanup ensures that only
essential configuration objects are retained, improving the overall efficiency and
maintainability of your security policies.
Role-based access control (RBAC) governs access to Config Cleanup
operations. Your assigned role determines the actions you can perform:
- Administrators can delete unused objects, disable or delete policy rules that have not matched any traffic, and delete objects within rules that have not seen traffic matches.
- Users may see a limited view and can perform only the actions allowed by their RBAC permissions.
Config Cleanup supports only deployments managed by Strata Cloud Manager,
including NGFW and Prisma Access configurations.
In Config Cleanup, you can view the following information:
- Unused Objects exist in the configuration but are not referenced by any active configurations, such as policy rules or group objects. These objects may become orphaned when their parent objects are deleted or may have been created without ever being used. Regardless of how they were introduced, unused objects increase configuration size and can lead to longer commit times. Regularly review and delete these objects to maintain a clean and efficient configuration.
![]()
- Zero Hit Objects are objects within security policy rules that have not matched any traffic. Their presence can make rules overly permissive and increase the attack surface, even if the same objects are used in other policies. Removing zero-hit objects from specific rules helps harden the policy rule and improve overall security posture. You can view a list of all rules containing zero-hit objects under Zero Hit Objects.Config cleanup calculates zero-hit objects based on traffic logs sent to Strata Logging Service. If the firewall does not send logs to Strata Logging Service or if logging is disabled for a rule, the computation may be incomplete or inaccurate.
![]()
To see all objects with zero hits in a specific rule, select the rule to open its side panel. Within the side panel, you can select and delete any objects that have zero hits.![]()
- Zero Hit Policy Rules are security policy rules that have not matched any traffic for at least one day. A rule may stop matching traffic due to modifications, the addition of new rules that take precedence, or changes in the traffic patterns. Regularly review zero-hit rules to determine whether to remove them or reposition them within the policy. This recommended practice helps maintain a clean and efficient security policy configuration.
![]()
Use filters and other controls to refine your view and target specific
unused objects and policy rules.
- Unused Objects – Filter unused objects by:
- Name – Search for and select a specific configuration object by name.
- Object Type – Select the type of configuration object.
- Days Unused – Choose from predefined time ranges (30+ days, 60+ days, 90+ days) or use the customizable More than option for more granular filtering.
- Zero Hit Objects – Filter policy rules based on:
- Days with Zero Hits – Select from predefined ranges (30+ days, 60+ days, 90+ days) or use the More than option to identify objects within rules that haven't matched traffic within the specified timeframe. Use this filter to locate and remove objects that no longer meet traffic thresholds.
- You can also apply filters to additional columns, such as source zone, destination zone/address, source user, or URL category, to further refine your search for rules.
- Zero Hit Policy Rules – Filter, enable, disable, or delete zero-hit policy rules using any available column as a filter.