Monitor Policy Rule Usage
How to view rule usage for policy rules pushed to a device group from Panorama.
As your policies change over time, tracking rule usage on Panorama helps you evaluate whether your policy implementation continues to match your enforcement needs. This visibility helps you identify and remove unused rules to reduce security risks and keep your policy rule base organized. Additionally, rule usage tracking allows you to quickly validate new rule additions and rule changes and to monitor rule usage for operations and troubleshooting tasks. On Panorama, you can view the rule usage of appliances in a device group—to which you pushed policies—to determine if all, some, or none of the appliances have traffic matches instead of only being able to monitor the total number of hits across all appliances in a device group. Rule usage information displayed persists through reboot, dataplane restarts and upgrades.
Panorama rule usage is determined by the managed firewalls with Policy Rule Hit count (enabled by default). If the Policy Rule Hit Count is disabled on a firewall or if the firewall is running a PAN-OS 8.0 or earlier release, Panorama will be unable to consider that firewall in the calculation of rule usage.
To view the rule usage across any Shared rule or for a specific device group:
- Log in to the Panorama Web Interface and select Policies<policy rule> to view a rule.
- Change the Device Group context to Shared or to the specific device group you want to view.
- Determine whether the rule is being used (Rule Usage
column). The policy rule usage status is one of the following:Firewalls must run PAN-OS 8.1 or later release with Policy Rule Hit Count enabled for Panorama to determine rule usage.
- Used—When all firewalls in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
- Partially Used—When some of the firewalls in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
- Unused—When no firewalls in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
- Em-dash (—)—When no firewalls in the device group—to which you pushed the policy rule—have Policy Rule Hit Count enabled or available for Panorama to determine the rule usage.
- Click the status in the Rule Usage column to view the list of firewalls using the rule and the hit-count data for traffic that matches that rule on each firewall.
- (Optional) View the policy rule hit-count data
for individual appliances in the device group.
- Click Preview Rules.
- From the Device context, select the appliance for which you want to view the policy rule usage data.
Rule Usage Tracking
Rule usage tracking helps you monitor rule usage on Panorama and firewalls to validate rules and keep your rule base organized. ...
Device Monitoring on Panorama
Use Panorama™ to monitor the health and rule usage of firewalls and to troubleshoot hardware issues and policy rule usage. ...
View Policy Rule Usage
View the policy rule hit count data of managed firewalls to monitor rule usage in order to validate rules and keep your rule base organized. ...
Defining Policies on Panorama
Defining Policies on Panorama Device Groups on Panorama™ allow you to centrally manage firewall policies. You create policies on Panorama either as Pre Rules or ...
Creating and Managing Policies
Creating and Managing Policies Select the Policies Security page to add , modify, and manage security policies: Task Description Add To add a new policy ...
Security Policy Security policy protects network assets from threats and disruptions and aids in optimally allocating network resources for enhancing productivity and efficiency in business ...
Create a Security Policy Rule
Create a Security Policy Rule ( Optional ) Delete the default Security policy rule. By default, the firewall includes a security rule named rule1 that ...
Manage Firewalls To use the Panorama™ management server for managing Palo Alto Networks firewalls, you must add the firewalls as managed devices and then assign ...
Device Group Policies
Device Group Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. A firewall evaluates ...