View the policy rule hit count data of managed firewalls
to monitor rule usage so you can validate rules and keep your rule
base organized.
View the number of times a Security, NAT,
QoS, policy-based forwarding (PBF), Decryption, Tunnel Inspection,
Application Override, Authentication, or DoS protection rule matches
traffic to help keep your firewall policies up to date as your environment
and security needs change. To prevent attackers from exploiting over-provisioned
access, such as when a server is decommissioned or when you no longer
need temporary access to a service, use the policy rule hit count
data to identify and remove unused rules.
Policy rule usage
data enables you to validate rule additions and rule changes and to
monitor the time frame when a rule was used. For example, when you
migrate port-based rules to app-based rules, you create an app-based
rule above the port-based rule and check for any traffic that matches
the port-based rule. After migration, the hit count data helps you
determine whether it is safe to remove the port-based rule by confirming
whether traffic is matching the app-based rule instead of the port-based
rule. The policy rule hit count helps you determine whether a rule is
effective for access enforcement.
You can reset the rule hit
count data to validate an existing rule or to gauge rule usage within
a specified period of time. Policy rule hit count data is not stored
on the firewall or Panorama so that data is no longer available after
you reset (clear) the hit count.
The rule hit count
data is not synchronized across firewalls in a high availability
(HA) deployment so you need to log in to each firewall to view the
policy rule hit count data for each firewall or use Panorama to
view information on the HA firewall peers.