Identify unused ACLs and object groups

Unanswered Question
Oct 13th, 2008
User Badges:

Hello all,

Can anyone point me to a software product (preferably Cisco) that will analyze a PIX 6.3 firewall rule set and determine which ACLs are not in use and which object groups are not referenced by any ACLs? I know I can show access-list to see hit counts, but this firewall has thousands of rules.


Thanks,

Matt

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bwilmoth Fri, 10/17/2008 - 08:04
User Badges:
  • Silver, 250 points or more

As far as I know there are some recommended practices allow you to summarize and simplify your ACE entries:


1)Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.

2)Use 'any' instead of networks, and use networks instead of hosts when possible.

3)Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.

4)Group together individual port statements into a range.



MATTHEW BECK Fri, 10/17/2008 - 13:07
User Badges:

Hi,

Actually, that won't work with object groups like I have configured. When you do the show access-list command you get:


access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 2 perm...

access-l YYY line 2 perm...


If I try to no out anything but the first line which includes the name of the object groups, I'm going to get an error. And I definitely don't want to delete the entire line because only 1 object in the group may be unused - the rest will be valid.


Thanks, and enjoy your weekend.


Matt

Farrukh Haroon Sat, 10/18/2008 - 22:41
User Badges:
  • Red, 2250 points or more

For the access-lists you could do it manually like the following.


Firsto do a:


show access-l | inc elements


Then compare it with:


show run access-group


Regards


Farrukh

cisco24x7 Sun, 10/19/2008 - 02:33
User Badges:
  • Silver, 250 points or more

I've done this before and it was VERY painful.


Here is what i did:


1- Use a freeware tool call odumper/ofiller,

written by a Checkpoint engineer to dump

the rules and object into a Checkpoint

SmartCenter


2- In the Checkpoint security, I can use the

"right-click" functions to findout which

objects have NOT been used. This can be

relatively quickly


3- Use Cisco conversion tool to convert

Checkpoint rule back into Pix rules.


Step 1 and 2 worked quite well but step

3 was a big mess especially when you have

a large security policy.


my 2c.

Actions

This Discussion