Skip to content

unused objects

Jump to bottom
Sven Waschkut edited this page Feb 23, 2022 · 3 revisions

To cleanup your Palo Alto Networks Firewall / Panorama configuration, the first step can be to find all unused objects:

The examples listed below are describing the ONLINE connection method. It is always possible and recommended to first make yourself familiar with the PAN-OS-PHP tool against offline configuration files:

prepare for OFFLINE usage - download configuration from production:

  • pan-os-php type=upload in=api://MGMT-IP out=start-config.xml example for using OFFLINE method
  • pan-os-php type=XYZ in=start-config.xml out=manipulated-config.xml

Display [actions=display]

rule

  • pan-os-php type=rule ruletype=security actions=display in=api://MGMT-IP location=any 'filter=(rule is.unused.fast)'

address / addressgroup

  • pan-os-php type=address actions=display in=api://MGMT-IP location=any 'filter=(object is.unused.recursive)'

service / servicegroup

  • pan-os-php type=service actions=display in=api://MGMT-IP location=any 'filter=(object is.unused.recursive)'

tag

  • pan-os-php type=tag actions=display in=api://MGMT-IP location=any 'filter=(object is.unused)'

Export to Excel [actions=exporttoexcel:FILENAME.xls] / [actions=exporttoexcel:FILENAME.html]

rule

  • pan-os-php type=rule ruletype=security actions=exporttoexcel:ruleusage.xls in=api://MGMT-IP location=any 'filter=(rule is.unused.fast)'

address / addressgroup

  • pan-os-php type=address actions=exporttoexcel:addressusage.xls in=api://MGMT-IP location=any 'filter=(object is.unused.recursive)'

service / servicegroup

  • pan-os-php type=service actions=exporttoexcel:serviceusage.xls in=api://MGMT-IP location=any 'filter=(object is.unused.recursive)'

tag

  • pan-os-php type=tag actions=exporttoexcel:tagusage.xls in=api://MGMT-IP location=any 'filter=(object is.unused)'

Rule cleanup approach

{DATE1} is a variable for e.g. 20220222, please replace this variable with a fix value.

To cleanup e.g. Security Rules, a longer time range is recommended to take a decision if a Rule can be deleted:

tag rule with date

  • pan-os-php type=rule ruletype=security actions=tag-add:UNUSED-{DATE1} in=api://MGMT-IP location=any 'filter=(rule is.unused.fast)'

search again

  • pan-os-php type=rule ruletype=security actions=tag-remove:UNUSED-{DATE1} in=api://MGMT-IP location=any 'filter=!(rule is.unused.fast) and (tag has UNUSED-{DATE1})'

This approach can be repeated weekly/monthly or what every time range fit best to your environment.

Delete [actions=delete]

rule

  • pan-os-php type=rule ruletype=security actions=delete in=api://MGMT-IP location=any 'filter=(rule is.unused.fast) and (tag has UNUSED-{DATE1})'

address / addressgroup

  • pan-os-php type=address actions=delete in=api://MGMT-IP location=any 'filter=(object is.unused.recursive)'

service / servicegroup

  • pan-os-php type=service actions=delete in=api://MGMT-IP location=any 'filter=(object is.unused.recursive)'

tag

  • pan-os-php type=tag actions=delete in=api://MGMT-IP location=any 'filter=(object is.unused)'
Clone this wiki locally