Rule Usage Tracking
Rule usage tracking helps you monitor rule usage on Panorama and firewalls to validate rules and keep your rule base organized.
The Panorama and firewall web interfaces now display the hit count for traffic that matches a policy rule to help keep your firewall policies up to date as your environment and security needs change over time. To prevent attackers from exploiting over-provisioned access, such as when a server is decommissioned or when you no longer require temporary access to a service, the rule usage tracking feature helps you -identify and remove unused rules. Additionally, this feature provides the ability to validate rule additions and rule changes and to monitor the time frame when a rule was used. For example, when you migrate port-based rules to app-based rules, you create an app-based rule above the port-based rule and then you check for any traffic that matches the port-based rule. After migration, the hit-count data helps you determine whether it is safe to remove the port-based rule by confirming that traffic is matching the app-based rule instead of the port-based rule.
On the firewall, rule usage tracking allows you to view rule usage hit count and the last timestamp of the last hit. On Panorama, the rule usage tracking data allows you to view whether a policy rule pushed to firewalls in a specific device group has traffic matches. The rule usage tracking data gives you the information you need to determine whether a rule is effective for access enforcement. For more information, see Monitor Policy Rule Usage.
- Launch the firewall or Panorama web interface.
- On a firewall
- Launch the web interface and select Policies.
- View the rule usage statistics for each policy rule.
The following information is displayed:
- Hit Count—The number of times traffic matched the criteria you defined in the policy rule. Persists through reboot, dataplane restarts, and upgrades unless you manually reset or rename the rule.
- Last Hit—The most recent timestamp for when traffic matched the rule.
- First Hit—The first instance when traffic was matched to this rule.
- On Panorama
- Launch the web interface and select Policies.
- Determine whether the rule is being used (Rule Usage
column). The policy rule usage status is one of the following:The Rule Usage column displays rule usage for each appliance in the device group. The rule usage information displayed persists through reboot, dataplane restarts, and upgrades.
- Used—When all appliances in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
- Partially Used—When some of the appliances in the device group —to which you pushed the policy rule— have matches for the policy rule.
- Unused—When no appliances in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
- Preview Rules to view and select a specific firewall managed by Panorama to view the firewall-specific policy rule usage data. If needed, you can reset the firewall hit-count data for individual rules. Panorama retrieves rule usage information from managed firewalls every five minutes.
- Reset the rule usage tracking count data.You can reset the rule hit count data to validate an existing rule or to gauge rule usage within a specified period of time. Policy rule hit-count data is not stored on the firewall or Panorama so after you clear the hit count using the reset option, that data is no longer available.
- Identify any rules you need to reset and navigate to the Hit Count column.
- Select Reset from the drop-down.
If you previously reset a rule policy hit count, you can also view
the Last Reset Time from the drop-down.
View Policy Rule Usage
View the policy rule hit count data of managed firewalls to monitor rule usage in order to validate rules and keep your rule base organized. ...
Monitor Policy Rule Usage
How to view rule usage for policy rules pushed to a device group from Panorama. ...
Creating and Managing Policies
Creating and Managing Policies Select the Policies Security page to add , modify, and manage security policies: Task Description Add To add a new policy ...
What Data Center Traffic to Log and Monitor
The types of data center traffic you should log and monitor, the tools you can use to analyze the traffic, and how to best utilize ...
PAN-OS 8.1 introduces the following new management features: Configuration Table Export, Reporting Engine Enhancements, and Policy Rule Hit Count. PAN-OS 8.1.1 introduces a Software Integrity ...
Device Monitoring on Panorama
Use Panorama™ to monitor the health and rule usage of firewalls and to troubleshoot hardware issues and policy rule usage. ...
Security Policy Security policy protects network assets from threats and disruptions and aids in optimally allocating network resources for enhancing productivity and efficiency in business ...
Management Features Rule Usage Tracking Rule usage tracking helps you monitor rule usage on Panorama and firewalls to validate rules and keep your rule base ...
Create a Security Policy Rule
Create a Security Policy Rule ( Optional ) Delete the default Security policy rule. By default, the firewall includes a security rule named rule1 that ...