Is it possible to write a Forward NQE query that will produce a list of firewall rules that have been modified in the last 30 days? It would be helpful to have firewall name, the rule ID numbers, and date/time last modified if possible.
This NQE already exists. you can find it in the NQE Library under
| /Forward Library/Security/Firewalls with Unused Security Rules |
John: For Palo Alto FW, the following query will provide a basis for your requirement.
foreach device in network.devices
foreach aclEntry in device.aclEntries
where isPresent(aclEntry.lifecycleData)
let lifecycleData = aclEntry.lifecycleData
select {
deviceName: device.name,
createdAt: lifecycleData.createdAt,
lastModified: lifecycleData.lastModified,
lastUsed: lifecycleData.lastUsed,
truncatedHitCount: lifecycleData.truncatedHitCount
}If you want to perform math on the dates, you can add the following to represent current time at time of collection.
let currentTime =
if isPresent(device.snapshotInfo.collectionTime)
then device.snapshotInfo.collectionTime
else device.snapshotInfo.backfillTime
Is it possible to get NQE to return the list of unused firewall rule ID’s with the results? That is the piece of data that missing for me today.
Hi John,
when you run the build in NQE:
/Forward Library/Security/Firewalls with Unused Security Rules
It will show you the names of the policies.
Then click on the unused policy, It will open a tab on the right side.
Scroll down to see the firewall policy name.
This will show the policy ID.
Does this solve your request?
Sign up
Already have an account? Login
Welcome to the Forward Networks Community
Select a login option:
Register / Login Forward Employee LoginEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.