This post is based on the PA 2050 running v5.1. I have only recently started playing with these beauties and love em.
One of the things I loved about the ASA was the way that access-rules were logged an their respective hit count can be logged in the SDM main configuration view, this is a great way of finding out if your rules are working, if they need to be changed or simply deleted. Naturally I was trying to find a way to do something similar on the PA.
The way to do is is go to the MONITOR TAB and create a custom report. see the screenshot below. For this you need the 'Traffic Log' Database and sort by 'repeat count'.
|Creating a custom report based on hit count|
Adding the "Rule" to the selected columns in your custom report (see screen shot above); it will add the the rule name that was hit by the relevant traffic in the report.
Please note that the output of running this report will provide both access-rules as well as URL filtering rule results.
If you run the report as defined above, this will result in a top-50 of most used rules, which can serve some purposes, but is not very use full for specific diagnostics or clean up (see below and sorry for the huge picture, but that was the only way I could keep it legible, it just sucks that google blog is hopeless with relative CSS sizes).
OK, so Minkmeister, if you know it all; how do we go more granular?
Wait for it,............I give you the 'query builder'!!!!! And the good news it comes for rien et gratuit.
Picture the following scenario, I have just added a new rule allowing syslog traffic to my monitoring server (mon01) and want to know if it is getting hit.
The rule is as follows:
Take particular notice of the name of the rule (dmz-sw1 to mon01 syslog), because we need it for the query builder.
|Custom Report - Query Builder|
You could even make this more granular by saying for instance, i want to know all traffic that hits that certain rule, but only if it's source IP address is 22.214.171.124. In this case you add a second criterium to your Query builder:
(rule eq 'dmz-sw1 to mon01 syslog') and (addr.src in 126.96.36.199)
Once you get the hang of it, you will probably be able to fabricate your own queries straight into the query builder, rather then going into the column below it (see screen shot above).
So what if you wanted to figure out which ones of your policies (rules) are NOT being used, so you can do a clean up? How can custom reports help you with that? Well, not a great deal to be honest. But, but, but, Palo Alto has a standard report that can help you give you that insight. And I will tell you how.
Start off, by going into the policies tab, and tick "highlight unused Rules" (see screenshot below).
|Highlight unused rules|
Now if you go to the Monitor tab, then to reports, this will present you with a bunch of pre-populated traffic, URL filtering and application reports. And because I am all about avoiding re-inventing the wheel; why bother with custom reports. Producing a rule traffic report and combining it with the highlighted unused rules, should give you a pretty good insight into what rules can be culled.
|Ready made Traffic and other reports|
Producing a security policies, traffic report and combining it with the highlighted unused rules, should give you a pretty good insight into what rules can be culled.
I got time for one more scenario, what if you are sending traffic out to the internet, or through the PA for that matter, and you want to see what rule it hits. Or check why it is not being passed through the PA. For example, let's say I wanted to know what rules gets hit when I sent traffic from my end station to an web host 188.8.131.52. So go to your custom report and change the query builder into :
Make sure you add the Rule, source address, destination address, repeat count and rule to the selected columns and Bob's your uncle.