cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1904
Views
0
Helpful
5
Replies

Identify unused ACLs and object groups

MATTHEW BECK
Level 1
Level 1

Hello all,

Can anyone point me to a software product (preferably Cisco) that will analyze a PIX 6.3 firewall rule set and determine which ACLs are not in use and which object groups are not referenced by any ACLs? I know I can show access-list to see hit counts, but this firewall has thousands of rules.

Thanks,

Matt

5 Replies 5

bwilmoth
Level 5
Level 5

As far as I know there are some recommended practices allow you to summarize and simplify your ACE entries:

1)Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.

2)Use 'any' instead of networks, and use networks instead of hosts when possible.

3)Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.

4)Group together individual port statements into a range.

josh
Level 1
Level 1

sh access-list | inc hitcnt=0

enter

This will only give the non-matched lines.

dump the results into excel with the ( as a text delimiter. This will clip off the hitcnt=0) 0x15abbe7c from the end of the lines. The drop it into notepad and you can replace "access-list" with "no access-list"

Hi,

Actually, that won't work with object groups like I have configured. When you do the show access-list command you get:

access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 2 perm...

access-l YYY line 2 perm...

If I try to no out anything but the first line which includes the name of the object groups, I'm going to get an error. And I definitely don't want to delete the entire line because only 1 object in the group may be unused - the rest will be valid.

Thanks, and enjoy your weekend.

Matt

For the access-lists you could do it manually like the following.

Firsto do a:

show access-l | inc elements

Then compare it with:

show run access-group

Regards

Farrukh

I've done this before and it was VERY painful.

Here is what i did:

1- Use a freeware tool call odumper/ofiller,

written by a Checkpoint engineer to dump

the rules and object into a Checkpoint

SmartCenter

2- In the Checkpoint security, I can use the

"right-click" functions to findout which

objects have NOT been used. This can be

relatively quickly

3- Use Cisco conversion tool to convert

Checkpoint rule back into Pix rules.

Step 1 and 2 worked quite well but step

3 was a big mess especially when you have

a large security policy.

my 2c.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: