ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Zero-Hit Count Policy

‎05-25-2017 10:17 AM



I have one client who asked me to optimize his SSG550M configuration and one part of this requirement is to delete all policies of Zero hit Count. 

To enable countering on policies has limitation of 125 policies. Which will not surve out practice. Is there any command (hidden command) or way to check if policy get hit or not.




ScreenOS Firewalls (NOT SRX)

Re: Zero-Hit Count Policy

‎05-25-2017 10:37 PM

Hi Atif,


I doubt that there could be any straight forward answer to this. You can try below:


1: dump the 'get session' output 2-3 time during the busy hours, put them in excel sheet etc and check which policy are used.

2: Enable the policy counting only for the policies which are not in the get session output. Also, if you have the traffic logs enabled then you can see which policies are majorly used. Enable the counting accordingly.

3: If number of unused policies are still more than 125 then you may need do it in phases.