Rule and Object Usage Report

Overview

The Rule and Object Usage Report displays statistics for most-used, least-used and unused rules and objects. It calculates, for each rule or object, the amount of logged network traffic that was passed or blocked.

A Rule and Object Usage Report can be used to:

  • Optimize the rulebase by identifying which rules are not being used (should be considered for removal), and which rules are very heavily used (may be moved up in the rulebase).
  • Analyze objects usage, including member objects within group objects. Objects which are identified as unused are candidates for removal, even when the rule itself is not.

About the Report

Rules which have been created or changed during the report period are marked as New (New usage) or Changed (Changed). For these rules, the presented usage data may not accurately reflect the current situation.

You can schedule the Rule and Object Usage Report to be generated automatically, and sent to different users. It is generated in HTML, PDF, and CSV formats.

This report is only available for devices that are enabled for this feature (Configuring Devices to Send Logs). You need to either add a monitored device, or edit an existing monitored device, and select one or more of the Usage Analysis options.

The Rule and Object Usage report uses only logs that have not been cleaned from the database. You should move rules within the rulebase only after careful consideration, since rules are processed in sequential order.

Rule and object usage statistics are collected per gateway only once a policy revision is received.

Security rules that do not log traffic may negatively impact the accuracy of the NAT rule usage statistics in the report.

Compressed rule and object usage data is stored in the resolution of one day. If you run a Rule and Object Usage report on historical data that includes part of a day, the report time period is changed to include the data available.

Notes per Device Vendor

  • Juniper firewalls (Netscreen and JunOS) - The report requires that Juniper Syslogs be configured.
  • Fortinet firewalls - The report requires that Fortinet Syslogs be configured
  • Cisco routers - Group-member object usage is not provided
  • Cisco firewalls - Some recorded object usage may not be relevant to the current configuration, and are marked in the report as 'potential hits'. Examples include:
    • A service port range contains ports that are not included in the current rule configuration during the report period.
    • A Source or Destination subnet contains hosts that are not included in the current rule configuration.
  • Palo Alto devices:
    • Object usage for Users and Applications is not supported.
    • In the report output, The ID on Device column displays the Rule UUID.
  • Check Point:
  •  Usage statistics are calculated for NAT rules also.
    • For Check Point devices, if multiple policy packages are used for different gateways, you can select packages per Installation Target group. The report will contain a section for each selected package.
    • You can also use the rule usage import CLI command to collect old usage statistics from Check Point devices for analysis in the rule usage report.
    • Special characters are not supported in inline-layer names.

    • In the report output, The ID on Device column displays the Rule UUID.

  • This report does not include data for Azure Firewalls or Azure NSGs. However, after configuring Azure to allow TOS Aurora to pull traffic information, you can use TQL queries in the Rule Viewer (timeLastHit) to see the Last Hit date. (Note that it takes one day for TOS Aurora to collect Azure information.)

  • You can schedule and run reports to identify Azure Firewalls and NSGs unused rules using the Rule Analytics report / Security Best Practices reports in SecureTrack Reporting Essentials.