Understanding Rule Hit Counts and Firewall Reboots in PAN-OS

Rule Usage Hit Counter

The Rule Usage Hit Counter in PAN-OS tracks the number of times a security policy rule has been matched by traffic. Key characteristics include:

• Persistence: The hit count persists across firewall reboots, dataplane restarts, and upgrades unless manually reset or the rule is renamed. In PAN-OS versions prior to 9.0, renaming a rule resets its hit count due to tracking by rule name. From PAN-OS 9.0 onwards, rules are tracked using a Universally Unique Identifier (UUID), preventing hit count resets upon renaming [PAN KB] .
• Manual Reset: Administrators can manually reset the hit count via the web interface by selecting a security policy rule and choosing Hit Count > Reset , or through the CLI using appropriate commands.

Highlight Unused Rules

The "Highlight Unused Rules" feature in PAN-OS provides a visual indication of security policy rules that have not been used since the last dataplane restart. Important aspects include:

• Reset on Reboot: This feature resets upon a firewall reboot or dataplane restart, highlighting all rules as unused until they are matched by traffic [PAN Community Blog] .
• Visual Aid: Unused rules are typically indicated with a dotted background in the web interface, aiding administrators in identifying and reviewing them for potential cleanup.

Impact of Firewall Reboots

Understanding the behavior of rule tracking features during firewall reboots is crucial:

• Rule Usage Hit Counter: Retains its values across reboots, providing a historical view of rule usage unless manually reset or the rule is renamed (pre-PAN-OS 9.0).
• Highlight Unused Rules: Resets upon reboot, marking all rules as unused until they are subsequently matched by traffic.

PCNSE Exam Considerations

For the Palo Alto Networks Certified Network Security Engineer (PCNSE) exam, it's important to understand the differences between the Rule Usage Hit Counter and the Highlight Unused Rules feature, especially in the context of firewall reboots. For example:

Sample Question: What are two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

• A. Rule Usage Hit counter will not be reset.
• B. Highlight Unused Rules will highlight all rules.
• C. Highlight Unused Rules will highlight zero rules.
• D. Rule Usage Hit counter will reset.

Correct Answers: A and B

Explanation: Upon a firewall reboot, the Rule Usage Hit Counter retains its values, whereas the Highlight Unused Rules feature resets, marking all rules as unused until they are matched by traffic [ExamTopics Discussion] .