View Policy Rule Usage

View the policy rule hit count data of managed firewalls to monitor rule usage in order to validate rules and keep your rule base organized.
View the number of times a Security, NAT, QoS, Policy Based Forwarding, Decryption, Tunnel Inspection, Application Override, Authentication, or DoS protection rule matches traffic to help keep your firewall policies up to date as your environment and security needs change over time. To prevent attackers from exploiting over-provisioned access, such as when a server is decommissioned or when you no longer need temporary access to a service, use the policy rule hit count data to identify and remove unused rules.
Policy rule usage data provides the ability to validate rule additions and rule changes and to monitor the time frame when a rule was used. For example, when you migrate port-based rules to app-based rules, you create an app-based rule above the port-based rule and check for any traffic that matches the port-based rule. After migration, the hit count data helps you determine whether the port-based rule is safe to remove by confirming whether traffic is matching the app-based rule instead of the port-based rule. The policy rule hit count gives you the information to determine whether a rule is effective for access enforcement.
You can reset the rule hit count data to validate an existing rule or to gauge rule usage within a specified period of time. Policy rule hit count data is not stored on the firewall or Panorama so after you clear the hit count using the reset option, that data is no longer available.
The rule hit count data is not synchronized across firewalls in an HA deployment so you need to log in to the each firewall to view the policy rule hit count data for each firewall or use Panorama to view information on the HA firewall peers.
Policy rule usage data may also be useful when using Policy Optimizer to prioritize which rules to migrate or clean up first.
  1. Launch the Web Interface.
  2. Verify that the Policy Rule Hit Count is enabled.
    1. Select DeviceSetup Management and navigate to Policy Rulebase Settings.
    2. Verify that Policy Rule Hit Count is enabled.
  3. Select Policies.
  4. View the policy rule usage for each policy rule:
    • Hit Count—The number of times traffic matched the criteria you defined in the policy rule. Persists through reboot, dataplane restarts, and upgrades unless you manually reset or rename the rule.
    • Last Hit—The most recent timestamp for when traffic matched the rule.
    • First Hit—The first instance when traffic was matched to this rule.
    • Modified—The date and time the policy rule was last modified.
    • Created—The date and time the policy rule was created.
      If the rule was created when the firewall was running PAN-OS 8.1 and the Policy Rule Hit Count setting is enabled, the First Hit date and time is used as the Created date and time on upgrade to PAN-OS 9.0. If the rule was created in PAN-OS 8.1 when the Policy Rule Hit Count setting is disabled, or if the rule was created when the firewall was running PAN-OS 8.0 or earlier release, the date and time the firewall is successfully upgraded to PAN-OS 9.0 is used as the Created date.
  5. In the Policy Optimizer window, click Rule Usage to view the rule usage filter.
  6. Filter rules in the selected rulebase.
    Use the rule usage filter to evaluate the rule usage within a specified period of time. For example, filter the selected rulebase for usage based on Hit Count, First Hit, or Last Hit within the last 30 days. Additionally, you can also evaluate rule usage with other rule attributes, such as the Created and Modified dates, giving you the flexibility to filter for the correct set of rules to review. You can use this data to determine whether to remove a rule.
    1. Select the Timeframe you want to filter from the drop-down, or specify a Custom timeframe.
    2. Select the rule Usage to filter.
    3. (Optional) If you have reset the rule usage data for any rules, check the Exclude rules reset during the last <number of days> days, and within how many days the rules were reset in order to be excluded. Rules that were reset before the specified number of days are included in the filtered results.
    4. (Optional) Specify search filters based on additional rule data, other than the rule usage.
      1. Hover your mouse over the column header, and from the drop-down select Columns.
      2. Add any additional columns you want to filter with or to display.
      3. Hover your mouse over the column data that you would like to filter, and select Filter from the drop-down. For data that contain dates, select whether to filter using This date, This date or earlier, or This date or later.
      4. Click Apply Filter ( green-arrow.png ).

Related Documentation