SRX Services Gateway
Highlighted
SRX Services Gateway

Check unnecessary security policies to detect them and remove from SRX

‎04-07-2015 12:50 PM

Hello!

Explain please, how to check unnecessary security policies to detect them and remove from SRX .

For example,

There is SRX650, that I see for a little time, but understand , that there are many security policies , that are not in use.(but not sure with 100% that is so).

Is there any effective method identify unused security policies?

 

4 REPLIES 4
Highlighted
SRX Services Gateway
Solution
Accepted by topic author vlazarev
‎08-26-2015 01:27 AM

Re: Check unnecessary security policies to detect them and remove from SRX

‎04-07-2015 01:03 PM

My suggestion would be:

 

- enable "count" option to all the security rules.

- clear all the count statistics.

- check policies with count of 0.  After 30 days or so, if it's still 0, then the rule may no longer be needed.

 

 

To clear count stats:  "clear security policies hit-count"

To check policies with count of 0: "show security policies hit-count less-than 1"

 

I still see 2 gotchas:

1. device may have a limit as to the maximum number of rules that can have 'count' configured

2. it may be normal for some rules not to be hit within the 30 days or so you monitor.

 

 

Hope this helps.

 

Regards,

Sam

Highlighted
SRX Services Gateway

Re: Check unnecessary security policies to detect them and remove from SRX

‎04-07-2015 01:36 PM

Thanks! It necessary to try! very good way!

Till your suggestion, I have thought about creating  traceoptions for every session flow ( where specify the parameters of the session)  and after 30 days check every log file. ( Your method is more preferable)

Highlighted
SRX Services Gateway

Re: Check unnecessary security policies to detect them and remove from SRX

‎04-10-2015 12:18 PM

By the way if you are with junos 12.1 or later you can just use the below ot show you all policy hit counters without having "then count" enabled.  

 

>show security policy hit-count 

 

 

Also note that you can not configure unlimited "then count" policy actions. I dont remember the exact number but it is somethin like a few hundred per device.

SRX Services Gateway

Re: Check unnecessary security policies to detect them and remove from SRX

‎04-11-2015 02:06 PM

OK! THNX!