Rule Usage Tracking

Rule usage tracking helps you monitor rule usage on Panorama and firewalls to validate rules and keep your rule base organized.
The Panorama and firewall web interfaces now display the hit count for traffic that matches a policy rule to help keep your firewall policies up to date as your environment and security needs change over time. To prevent attackers from exploiting over-provisioned access, such as when a server is decommissioned or when you no longer require temporary access to a service, the rule usage tracking feature helps you -identify and remove unused rules. Additionally, this feature provides the ability to validate rule additions and rule changes and to monitor the time frame when a rule was used. For example, when you migrate port-based rules to app-based rules, you create an app-based rule above the port-based rule and then you check for any traffic that matches the port-based rule. After migration, the hit-count data helps you determine whether it is safe to remove the port-based rule by confirming that traffic is matching the app-based rule instead of the port-based rule.
On the firewall, rule usage tracking allows you to view rule usage hit count and the last timestamp of the last hit. On Panorama, the rule usage tracking data allows you to view whether a policy rule pushed to firewalls in a specific device group has traffic matches. The rule usage tracking data gives you the information you need to determine whether a rule is effective for access enforcement. For more information, see Monitor Policy Rule Usage .
  1. Launch the firewall or Panorama web interface.
    • On a firewall
    1. Launch the web interface and select Policies.
    2. View the rule usage statistics for each policy rule. The following information is displayed:
      • Hit Count—The number of times traffic matched the criteria you defined in the policy rule. Persists through reboot, dataplane restarts, and upgrades unless you manually reset or rename the rule.
      • Last Hit—The most recent timestamp for when traffic matched the rule.
      • First Hit—The first instance when traffic was matched to this rule.
    • On Panorama
    1. Launch the web interface and select Policies.
    2. Determine whether the rule is being used (Rule Usage column). The policy rule usage status is one of the following:
      The Rule Usage column displays rule usage for each appliance in the device group. The rule usage information displayed persists through reboot, dataplane restarts, and upgrades.
      • Used—When all appliances in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
      • Partially Used—When some of the appliances in the device group —to which you pushed the policy rule— have matches for the policy rule.
      • Unused—When no appliances in the device group—to which you pushed the policy rule—have traffic matches for the policy rule.
    3. Preview Rules to view and select a specific firewall managed by Panorama to view the firewall-specific policy rule usage data. If needed, you can reset the firewall hit-count data for individual rules. Panorama retrieves rule usage information from managed firewalls every five minutes.
  2. Reset the rule usage tracking count data.
    You can reset the rule hit count data to validate an existing rule or to gauge rule usage within a specified period of time. Policy rule hit-count data is not stored on the firewall or Panorama so after you clear the hit count using the reset option, that data is no longer available.
    1. Identify any rules you need to reset and navigate to the Hit Count column.
    2. Select Reset from the drop-down. If you previously reset a rule policy hit count, you can also view the Last Reset Time from the drop-down.

Related Documentation