Skip to main content

Is it possible to write a Forward NQE query that will produce a list of firewall rules that have been modified in the last 30 days?  It would be helpful to have firewall name, the rule ID numbers, and date/time last modified if possible.

This NQE already exists. you can find it in the NQE Library under

/Forward Library/Security/Firewalls with Unused Security Rules

John:  For Palo Alto FW, the following query will provide a basis for your requirement. 

foreach device in network.devices
foreach aclEntry in device.aclEntries
where isPresent(aclEntry.lifecycleData)
let lifecycleData = aclEntry.lifecycleData
select {
deviceName: device.name,
createdAt: lifecycleData.createdAt,
lastModified: lifecycleData.lastModified,
lastUsed: lifecycleData.lastUsed,
truncatedHitCount: lifecycleData.truncatedHitCount
}

If you want to perform math on the dates, you can add the following to represent current time at time of collection.

let currentTime = 
if isPresent(device.snapshotInfo.collectionTime)
then device.snapshotInfo.collectionTime
else device.snapshotInfo.backfillTime

 


Is it possible to get NQE to return the list of unused firewall rule ID’s with the results?  That is the piece of data that missing for me today.


Reply