Cleanup Browser

Overview

The Cleanup Browser lets you drill-down into the cleanups in your network to see exactly in which policies and rules the cleanups exist.

Each cleanup has an ID that is colored according to its priority and is shown on each policy or object where the cleanup exists.

For devices that support VIP (Virtual IP) objects, if the cleanup rule contains a VIP object then the rule must be global for the cleanup browser to match the cleanup rule.

IPv6 is not supported for this TOS feature. (Except for NSM IPv6 objects which are shown in unused objects.)

You can export the instances to a CSV file that you can use to automate the process of removing the duplicate objects. For Cisco devices, you can view the rules in textual format and click Export to save the ACLs as a CSV file. To properly view the CSV file, open it with a text editor.

Cleanups by Type

You can see the number of cleanups in the latest revision on a device or group of devices shown according to the cleanup types.

Each cleanup is part of a category of cleanups, or cleanup types. The cleanup types are:

(C01) Fully shadowed and redundant rules - Rules that never have hits from traffic because rules above them in the policy handle the traffic.
- Shadowed - For rules that are marked as fully shadowed, click on Details to see the rules that shadow it.
Note that layer 7 rule information such as application-related criteria is not currently taken into account when determining if a rule is shadowed and so, in some cases, non-shadowed rules may show up as shadowed. All rules marked as fully shadowed should be therefore be checked for the existence of layer 7 criteria before deciding whether to remove them.
(C05) Disabled rules - Rules that never have hits from traffic because they are disabled
(C06) Unattached network objects - Objects that are not used in any firewall rules, group objects. Objects used in other forms of management, such as NAT rules or VPN connections, may appear as unattached in the security policy. Verify the use of unattached objects across the relevant device management tools.
(C08) Empty groups - Group objects that do not have any members
(C11) Duplicate network objects - Duplicate network objects include hosts with the same IP address, networks with the same IP address and netmask, and IP address ranges with the same start and end addresses
(C12) Duplicate services - Services are reported as matching when they are not pre-defined and when they have the same values for:
- Protocol - TCP or UDP
- Port - Destination port
- Source port - If specified in the object's properties
- Timeout setting - Either session timeout (Check Point) or inactivity timeout (Juniper)
- Match for Any - Check Point only
  
  The duplicate service cleanup does not compare source port and timeout in Palo Alto, service timeout in Juniper Netscreen, or protocol type in Check Point.
Groups of services are reported as matching when they have the same group members and at least one of the group members is not a pre-defined service.
(C15) Unused network objects - Network objects and network object groups that are not in use across the security policy and have no hits in the policy traffic log during the time period configured in Settings > Configuration > Cleanup.These can be unattached objects, or objects that appear in access rules and object groups but are not being hit within those rules and groups.

Notes:
- The unused objects cleanup is disabled by default. When you enable it in Settings > Configuration > Cleanup, you must also select the time period (days, weeks or months) of the usage data. Objects that have no hits during the usage period are listed as unused.
- Make sure that the cleanup settings in Settings > Administration > Maintenance are set for a longer period than the usage period for the cleanup.
- The cleanup is shown only if there are hits for every day in the usage period, such that an object is not shown as unused when there was a connectivity problem that resulted in at least one day without any traffic hits.
- The cleanup does not include:
  - Objects used in VPN rules
  - Addresses in Cisco configurations that are not associated with defined objects
  - Traffic hits from the current day because the results are calculated nightly
  - Rules that were changed during the period and the objects that are used in the rules
  - Rules without logs
  - IPv6 objects in devices other than Juniper NSM
  - Predefined, implicit and NAT objects

Each cleanup is defined with a name, severity, and description. You can change the name and definition to fit the terminology and structure of your organization. You can also change the severity to indicate how important the cleanup is to your organization. You can change the severity of a risk in Settings > Configuration > Cleanup.

For each cleanup you can see:

Instances - the specific rules and objects where the cleanup exists in the current policy revisions and group objects for the selected device or group
Information - General information about the cleanup including the cleanup description

What Can I Do Here?

Finding and Exporting Cleanup Instances

Go to Browser > Cleanup.
Select a device or group from the device tree.

The cleanups are listed and sorted according to priority.
Select a cleanup type.

If you selected a group of devices, you can select from the Show list to see the instances for each device in the group.

For the specified device, the cleanup browser shows where the specified cleanups exist in the current policies, shown in the vendor's format. The instances are listed with all of the cleanups that apply to them. The IDs for the selected cleanups are highlighted and the cleanups that are not currently selected are dimmed.
Click to save all of the cleanup instances to a CSV file you can open from the Reports Repository.

If you selected a group of devices, the CSV file contains the cleanup instances for all of the devices in the group. To export only the instances for one device, select that device from the device tree and click .

How Do I Get Here?