Identify unused ACLs and object groups

Unanswered Question
Oct 13th, 2008
User Badges:

Hello all,

Can anyone point me to a software product (preferably Cisco) that will analyze a PIX 6.3 firewall rule set and determine which ACLs are not in use and which object groups are not referenced by any ACLs? I know I can show access-list to see hit counts, but this firewall has thousands of rules.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bwilmoth Fri, 10/17/2008 - 08:04
User Badges:
  • Silver, 250 points or more

As far as I know there are some recommended practices allow you to summarize and simplify your ACE entries:

1)Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.

2)Use 'any' instead of networks, and use networks instead of hosts when possible.

3)Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.

4)Group together individual port statements into a range.

MATTHEW BECK Fri, 10/17/2008 - 13:07
User Badges:


Actually, that won't work with object groups like I have configured. When you do the show access-list command you get:

access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 2 perm...

access-l YYY line 2 perm...

If I try to no out anything but the first line which includes the name of the object groups, I'm going to get an error. And I definitely don't want to delete the entire line because only 1 object in the group may be unused - the rest will be valid.

Thanks, and enjoy your weekend.


Farrukh Haroon Sat, 10/18/2008 - 22:41
User Badges:
  • Red, 2250 points or more

For the access-lists you could do it manually like the following.

Firsto do a:

show access-l | inc elements

Then compare it with:

show run access-group



cisco24x7 Sun, 10/19/2008 - 02:33
User Badges:
  • Silver, 250 points or more

I've done this before and it was VERY painful.

Here is what i did:

1- Use a freeware tool call odumper/ofiller,

written by a Checkpoint engineer to dump

the rules and object into a Checkpoint


2- In the Checkpoint security, I can use the

"right-click" functions to findout which

objects have NOT been used. This can be

relatively quickly

3- Use Cisco conversion tool to convert

Checkpoint rule back into Pix rules.

Step 1 and 2 worked quite well but step

3 was a big mess especially when you have

a large security policy.

my 2c.


This Discussion