swaschkut
commented
7 months ago thanks for sharing this, I will look into this.
some more hints: As you are running this against Panorama, and this feature is directly only checking Panorama log information via Panorama XML API, the main problem is again based on Panorama. It looks like also this Palo Alto networks feature is not well integrated into Panorama. I assume your screenshots are from FW and not from Panorama.
If you like to search for rules which are NEVER triggered, please use: pan-os-php type=rule in=api://panorama location={DGNAME} 'filter=(rule is.unused.fast )'
bethatasitmay
Describe the bug
When I using (timestamp-last-hit.fast = 0) to tag rules, rules are getting tagged where one member of the cluster has no hits while the other does. I had also noticed similar behavior when running (timestamp-last-hit.fast < - 366) for tagging rules unused in over a year. If one cluster has > 1 year last hits, but the other has < 1 year hits the rule gets tagged.
I need to look at a lot of rules to see if it's consistent based on cluster member order or not (in other words, if it's only checking the first cluster member and not the second). Spot checking a few rules indicates only the first cluster member is examined.
Expected behavior
When making the filter match, both cluster members should be examined to see if either matches.
Current behavior
See above.
Steps to reproduce
php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=tag-Add:Unused-Never 'filter=(timestamp-last-hit.fast = 0)'
or
php -r "require_once 'C:/tools/pan/pan-os-php/utils/pan-os-php.php';" type=rule in=api://panorama.domain.com location=FW1 ruletype=security actions=tag-Add:UNUSED-Year 'filter=(timestamp-last-hit.fast < - 366 days)'
Screenshots
Here's an example of the Unused-Never tagging. This rule was tagged.
This is an example of the unused for over a year tagging:
Context
Tagging unused rules for future deletion.
Your Environment