View Policy Rule Usage
View the policy rule hit count data of managed firewalls to monitor rule usage so you can validate rules and keep your rule base organized.
View the number of times a Security, NAT, QoS, policy-based forwarding (PBF), Decryption, Tunnel Inspection, Application Override, Authentication, or DoS protection rule matches traffic to help keep your firewall policies up to date as your environment and security needs change. To prevent attackers from exploiting over-provisioned access, such as when a server is decommissioned or when you no longer need temporary access to a service, use the policy rule hit count data to identify and remove unused rules.
Policy rule usage data enables you to validate rule additions and rule changes and to monitor the time frame when a rule was used. For example, when you migrate port-based rules to app-based rules, you create an app-based rule above the port-based rule and check for any traffic that matches the port-based rule. After migration, the hit count data helps you determine whether it is safe to remove the port-based rule by confirming whether traffic is matching the app-based rule instead of the port-based rule. The policy rule hit count helps you determine whether a rule is effective for access enforcement.
You can reset the rule hit count data to validate an existing rule or to gauge rule usage within a specified period of time. Policy rule hit count data is not stored on the firewall or Panorama so that data is no longer available after you reset (clear) the hit count.
The rule hit count data is not synchronized across firewalls in a high availability (HA) deployment so you need to log in to each firewall to view the policy rule hit count data for each firewall or use Panorama to view information on the HA firewall peers.
- Verify thatPolicy Rule Hit Countis enabled.
- Navigate to Policy Rulebase Settings ().DeviceSetupManagement
- Verify thatPolicy Rule Hit Countis enabled.
- View the policy rule usage for each policy rule:
- Hit Count—The number of times traffic matched the criteria you defined in the policy rule. Persists through reboot, dataplane restarts, and upgrades unless you manually reset or rename the rule.
- Last Hit—The most recent timestamp for when traffic matched the rule.
- First Hit—The first instance when traffic was matched to this rule.
- Modified—The date and time the policy rule was last modified.
- Created—The date and time the policy rule was created.If the rule was created when Panorama was running PAN-OS 8.1 and the Policy Rule Hit Count setting is enabled, the First Hit date and time is used as the Created date and time on upgrade to PAN-OS 9.0. If the rule was created in PAN-OS 8.1 when the Policy Rule Hit Count setting was disabled or if the rule was created when Panorama was running PAN-OS 8.0 or an earlier release, the Created date for the rule will be the date and time you successfully upgraded Panorama to PAN-OS 9.0
- In the Policy Optimizer dialog, view theRule Usagefilter.
- Filter rules in the selected rulebase.Use the rule usage filter to evaluate the rule usage within a specified period of time. For example, filter the selected rulebase for Unused rules within the last 30 days. You can also evaluate rule usage with other rule attributes, such as the Created and Modified dates, which enables you to filter for the correct set of rules to review. You can use this data to help manage your rule lifecycle and to determine if a rule needs to be removed to reduce your network attack surface.
- Select theTimeframeyou want to filter on or specify aCustomtime frame.
- Select the ruleUsageon which to filter.
- (Optional) If you have reset the rule usage data for any rules, check forExclude rules reset during the lastand decide when to exclude a rule based on the number of days you specify since the rule was reset. Only rules that were reset before your specified number of days are included in the filtered results.<number of days>days
- (Optional) Specify search filters based on rule data
- Hover your cursor over the column header andColumns.
- Add any additional columns you want to display or use for filter.
- Hover your cursor over the column data that you would like to filter onFilter. For data that contain dates, select whether to filter usingThis date,This date or earlier, orThis date or later.
- Apply Filter( ).
Rule Usage Filtering
Filter rule usage to identify unused rules for deletion in order to improve your security posture. ...
Policy Optimizer Concepts
Concepts for migrating port-based Security rules to app-based rules, removing unused apps from rules, and safely enabling apps without compromising availability. ...
Monitor Policy Rule Usage
How to view rule usage for policy rules pushed to a device group from Panorama. ...
Identify Security Policy Rules with Unused Applications
Policy Optimizer finds Security policy rules that specify applications not seen on your network so you can remove the unused apps to reduce the attack ...
Migrate Port-Based to App-ID Based Security Policy Rules
Policy Optimizer converts port-based Security policy rules to app-based rules without compromising app availability to safely enable applications. ...
Rule Usage Query
Query your policy rule base to determine rule usage for a specified period of time. ...
Sorting and Filtering Security Policy Rules
Use application usage information to prioritize which rules to migrate from port-based to app-based rules or to clean up (remove unused apps) first. ...
Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability. ...
Enable or Disable Policy Optimizer
Policy Optimizer provides many capabilities that make it easier to migrate to an application-based Security policy but you may disable it if you wish. ...