Disable Firewall Policy Rules Based on Hits Over a Specified Duration
Starting in Junos Space Security Director Release 20.3R1, you can disable firewall policy rules that have not been hit for a specified duration. By disabling rules, you’ll notice performance improvement while updating policies on devices. You’ll need to first configure the option in Junos Space Network Management Platform and then disable the rules from Security Director.
Configure the Application Settings
By default, the option to disable firewall policy rules with no hits, is disabled in Junos Space Network Management Platform. You must enable the Security Director application settings in Junos Space Network Management Platform. Enable Disable policy rules with no hits over a specified duration option and enter the number of days for which you want to disable the firewall policy rules with no hits. See Modifying Settings of Junos Space Applications.
Disable Rules Based on Hits
After you have enabled Disable policy rules with no hits over a specified duration option and entered the days to disable rules with no hits in Junos Space Network Management Platform, you can disable firewall policy rules from Security Director.
Before You Begin
Right-click a policy and select Probe Latest Policy Hits to get the latest policy hit count. See Probe Latest Policy Hits.
To disable firewall policy rules based on hits:
The rules are disabled based on the last hit date on the Hit Count Details page. If the hit date exceeds the number of days configured, the rule is disabled. See Firewall Policy Rules Main Page Fields.
The rules which are not hit for a single time, will not display the last hit date in the Hit Count Details page and therefore such rules will not be disabled.
A snapshot of the operation is captured so that you can roll back to the previous policy version, if required. See Create and Manage Policy Versions.