How to find when a JUNOS SRX firewall policy was last used

Question

Is there any way we can figure out when a policy in JUNOS SRX firewalls was last used?

I need to delete obsolete policies from the device. One way is to compare the hit-counts of two snapshots that were taken in a gap of x days. But I somewhat feel that this is a very crud way of doing things.

Answer 1

I was checking CLI but we can get at most hit counts (which is not an indication of last policy usage)

Maybe you could have an auxiliary log files only including RTFLOW SESSION CREATE LOGS

Then, periodically, an onbox script might run and update a file whose content is “policy-name last-observed-timestamp”

Those logs would then be included in “messages” as well but, if the firewall is pretty busy and generating lots of syslogs, we might lose some info if junos compresses the messages file due to the max size being reached (unless we run the script very often…but what about the impact on the device?)

Potentially it might work but I have some concerns:

• Impact on the device in terms of performance
• If SRX is “working” a lot that auxiliary log file will get populated fast and script execution will be longer
• It would only work from “now on” (since we implement the script), can’t see the past I guess
• Logging is required on policy (at least session-init or session-close than create the log file with the right syslog messages) Alternatively, the script is offbox and we periodically get the auxiliary log file from the external server; this way we take the burden of parsing the log file out of the device as all the "dirty work" would be performed by our external server (this approach requires our device to be accessible using the python SCP module, which is available within the PyEz packaging)