[Workaround] Policy Hit Counter on PaloAlto firewalls

This week I was attending a workshop on PaloAlto firewalls. PaloAlto (PA) firewalls became famous when Gartner scored them on a top position in their 2011´s magic quadrant for enterprise firewalls (see here).

Long story short: It´s absolutely amazing how many features their firewalls offer. All features can be fully administrated via a nice looking web-interface. On the other hand I experienced, that there are some smaller features missing, which can be very useful in daily use.

One of those features is a hit counter for policies (or let´s call them rules). One main thing about firewalls is that you define rulesets on how traffic is forwarded or blocked. There may always be rules which are never used – like those which are setup up to prevent possible attacks. On the other hand a low hit number can also mean that a rule isn´t set up properly and the administrator should have a second look over it. A hit counter can also be useful for troubleshooting purposes since the administrator gets a fast feedback if packets are blocked from particular zones. At least our administrators are used to work with those counters as Cisco is offering policy hit counter in their ASA firewall line for a long time.

Unfortunately Pan-OS (that´s the name of the PaloAlto´s firewall software) doesn´t offer such a feature in their current release (4.1.6). Here is where you can make advantage of the highly customizable reporting function of PA firewalls. Go to the management interface under the tab Monitor you´ll find the menu “Manage Custom Reports”. Here you can add a new report with the following attributes:

Name: Hit Counter
Database: Traffic Log
Time Frame: whatever you want (probably 60 seconds or 15 minutes is a good value for troubleshooting).
Sort by: Repeat Count – Top 50
Selected Columns: Rule, Source address, destination address, Repeat Count


Setting up a Hit Counter on PaloAlto firewalls with customized reports.

After that, hit the “Run Now” button and you will see a report showing you a table with the top 50 used rules. However this probably won´t help you with rules which are only used a few times (their hit counter is too low to be shown in the top 50 list). This is where you can make use of the query builder, located under the report settings. As shown in the image you can use the query builder to define the rule that you want to keep track of.

I know this solution isn´t as useful as a hit counter itself, but at least it gives administrator an easy way to get some information on rule usage – plus it can be done automatically with the schedule function.


About sitweak
Monitoring, Network, Firewall, Mobile Security. I´m totally into that stuff!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: