A company moved its old port-based firewall to a new Palo Alto Networks NGFW 60 days ago. Which utility should the company use to identify out-of-date or unused rules on the firewall?
A.
Rule Usage Filter > No App Specified
B.
Rule Usage Filter >Hit Count > Unused in 30 days
C.
Rule Usage Filter > Unused Apps
D.
Rule Usage Filter > Hit Count > Unused in 90 days
exactly, for that reason it is the correct answer. If you choose the option of 30 days, some rule could be used within 30 to 60, therefore the answer that I assure that it has not been used for more than 60 days is the "D"
Guys I check it on our production firewall the 90 days it is timeframe so it includes the 30 days as well. I check the policies inside and the 90 includes the 30 ones as well. So to see 60 days you have to pick 90 for sure. (iven if it make NO sense)
D is correct, the filter is applied to the within the last 90 days, that includes the 60 days,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/view-policy-rule-usage
The point of the 30 and 90 day filters in policy optimizer is identifying policies that haven't had hits in a long time so you can assume you can delete them. Thus the 90 day filter looks for policies that have gone 90 OR MORE days without a hit. The firewall in this scenario is only 61 days old so answer D does not apply. I think C is the best answer.
D is the most accurate answer but all are actually wrong
In PAN OS v10, if we select "Policies" at the top of the page and then navigate to the bottom left we can see "Policy Optimizer", where the options are
New App Viewer
Rules Without App Controls
Unused Apps
Rule Usage
With Rule Usage having the following options
Unused in 30 days
Unused in 90 days
Unused
So the actual correct answer is
Policies --> Policy Optimizer --> Unused in 90 days
I'm currently loggon into PA-VM with PAN-OS version 10.1.3. You can only do this from the bottom left of the screen under Rule Optimizer. A & C are wrong because there is no such option.
There is no "Hit Count" option either so for the sake of this question I think B & D would be correct but B is our best option.
The real available options on the firewall are:
1. Unused in 30 days
2. Unused in 90 days
3. Unused
I think the answer to your question is that whatever you pick, it will show you "this number" and downwards, so I would say that choosing Unused in 90 days, would show you rules unused for 1-90 days which includes 60 days (something that Unused in 30 days doesn't).
If they only migrated 60 days ago, there can't be any rules that haven't been hit for more than 90 days.
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
LuisLfr
Highly Voted 3 years, 8 months agoDarude
Most Recent 4 months, 2 weeks agoKirinKev
6 months, 3 weeks agoPtopics
1 year agoerror_909
1 year, 4 months agoRowdy_47
1 year, 8 months agoCyril_the_Squirl
1 year, 9 months agoCyril_the_Squirl
1 year, 9 months agodiego1984
1 year, 9 months agoAngelXavier
2 years, 6 months agoAb121213
3 years, 2 months agoPANW
3 years, 2 months agoTheo11M
3 years, 2 months agoJohn555
3 years, 4 months agoRedByte
3 years, 8 months ago