Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1914
Views
0
Helpful
5
Replies

Identify unused ACLs and object groups

MATTHEW BECK
Level 1
Level 1

‎10-13-2008 09:13 AM - edited ‎03-11-2019 06:56 AM

Hello all,

Can anyone point me to a software product (preferably Cisco) that will analyze a PIX 6.3 firewall rule set and determine which ACLs are not in use and which object groups are not referenced by any ACLs? I know I can show access-list to see hit counts, but this firewall has thousands of rules.

Thanks,

Matt

Labels:
0 Helpful
5 Replies 5

bwilmoth
Level 5
Level 5

‎10-17-2008 08:04 AM

As far as I know there are some recommended practices allow you to summarize and simplify your ACE entries:

1)Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.

2)Use 'any' instead of networks, and use networks instead of hosts when possible.

3)Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.

4)Group together individual port statements into a range.

0 Helpful

josh
Level 1
Level 1

‎10-17-2008 12:55 PM

sh access-list | inc hitcnt=0

enter

This will only give the non-matched lines.

dump the results into excel with the ( as a text delimiter. This will clip off the hitcnt=0) 0x15abbe7c from the end of the lines. The drop it into notepad and you can replace "access-list" with "no access-list"

0 Helpful

MATTHEW BECK
Level 1
Level 1
In response to josh

‎10-17-2008 01:07 PM

Hi,

Actually, that won't work with object groups like I have configured. When you do the show access-list command you get:

access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 1 perm...

access-l YYY line 2 perm...

access-l YYY line 2 perm...

If I try to no out anything but the first line which includes the name of the object groups, I'm going to get an error. And I definitely don't want to delete the entire line because only 1 object in the group may be unused - the rest will be valid.

Thanks, and enjoy your weekend.

Matt

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to MATTHEW BECK

‎10-18-2008 10:41 PM

For the access-lists you could do it manually like the following.

Firsto do a:

show access-l | inc elements

Then compare it with:

show run access-group

Regards

Farrukh

0 Helpful

cisco24x7
Level 6
Level 6
In response to Farrukh Haroon

‎10-19-2008 02:33 AM

I've done this before and it was VERY painful.

Here is what i did:

1- Use a freeware tool call odumper/ofiller,

written by a Checkpoint engineer to dump

the rules and object into a Checkpoint

SmartCenter

2- In the Checkpoint security, I can use the

"right-click" functions to findout which

objects have NOT been used. This can be

relatively quickly

3- Use Cisco conversion tool to convert

Checkpoint rule back into Pix rules.

Step 1 and 2 worked quite well but step

3 was a big mess especially when you have

a large security policy.

my 2c.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card