Monitor Policy Rule Usage

How to view rule usage for policy rules pushed to a device group from Panorama.
As your policies change over time, tracking rule usage on Panorama helps you evaluate whether your policy implementation continues to match your enforcement needs. This visibility helps you identify and remove unused rules to reduce security risks and keep your policy rule base organized. Additionally, rule usage tracking allows you to quickly validate new rule additions and rule changes and to monitor rule usage for operations and troubleshooting tasks. On Panorama, you can view the rule usage of appliances in a device group—to which you pushed policies—to determine if all, some, or none of the appliances have traffic matches instead of only being able to monitor the total number of hits across all appliances in a device group. Rule usage information displayed persists through reboot, dataplane restarts and upgrades.
Panorama rule usage is determined by the managed firewalls with Policy Rule Hit count (enabled by default). If the Policy Rule Hit Count is disabled on a firewall or if the firewall is running a PAN-OS 8.0 or earlier release, Panorama will be unable to consider that firewall in the calculation of rule usage.
To view the rule usage across any Shared rule or for a specific device group:
  1. Log in to the Panorama Web Interface and select Policies<policy rule> to view a rule.
  2. Change the Device Group context to Shared or to the specific device group you want to view.
  3. Determine whether the rule is being used (Rule Usage column). The policy rule usage status is one of the following:
    Firewalls must run PAN-OS 8.1 or later release with Policy Rule Hit Count enabled for Panorama to determine rule usage.
    • Used—When all firewalls in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
    • Partially Used—When some of the firewalls in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
    • Unused—When no firewalls in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
    • Em-dash (—)—When no firewalls in the device group—to which you pushed the policy rule—have Policy Rule Hit Count enabled or available for Panorama to determine the rule usage.
    Panorama Rule Usage
    panorama-rule-usage.png
  4. Click the status in the Rule Usage column to view the list of firewalls using the rule and the hit-count data for traffic that matches that rule on each firewall.
    Firewall Rule Usage
    view-device-hit-count-panorama.png
  5. (Optional) View the policy rule hit-count data for individual appliances in the device group.
    1. Click Preview Rules.
    2. From the Device context, select the appliance for which you want to view the policy rule usage data.
      preview-rules-policy-rule-hit-count-data.png

Related Documentation