Find less rule/policy use and useless rule

Post your thoughts and suggestions here!
Post Reply
enzo
Posts: 22
Joined: 29 May 2016, 22:09
Location: Italy

Find less rule/policy use and useless rule

Post by enzo » 24 Feb 2022, 08:41

Hi Peter,

in Cos Core or in InControl is there a way to find the less rule/policy like 0 count?
And, have you a strategy or tool to find useless rule/policy?

For example if I crete the rule:

allow from lan all-nets to wan all-nets all-service

before the rule

allow from lan all-nets to wan all.nets http-service

the second rule is never used.

This is a simple example but in our situation where we have about over 500 rule is more probably to find the above situation.

Thank's for your answer

Best regards

Enzo SIlvestri
Università degli Studi di Bari
Vincenzo Silvestri
Università degli Studi di Bari

Peter
Posts: 699
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Find less rule/policy use and useless rule

Post by Peter » 03 May 2022, 12:41

Hello.

There has been discussions on and off about making this presentable to the administrator in e.g. InControl. There is an RFE (request for enhancement) about adding this to InControl.

"ICC-6708 - Add a Rule Usage Counter in InControl"

This one is actually being investigated and if all goes well (knock on wood and all that) it will be added in a future version if InControl. No exact version has been set yet but a release under 2022 is not impossible.

When it comes to seeing the rule usage currently, you can use the CLI command "Rules -verbose" to see the rule usage. This command will also list IP policy's but the index will not reflex the exact rule and you must instead look at the name of the rule to figure out exactly which rule/policy it is.

The reason for this is because an IP policy "in the background" may create multiple IP rules, this cause the index to be skewered. It's basically a known limitation when it comes to the "rules" CLI command.

Best regards
/Peter

Post Reply