10-13-2008 09:13 AM - edited 03-11-2019 06:56 AM
Hello all,
Can anyone point me to a software product (preferably Cisco) that will analyze a PIX 6.3 firewall rule set and determine which ACLs are not in use and which object groups are not referenced by any ACLs? I know I can show access-list to see hit counts, but this firewall has thousands of rules.
Thanks,
Matt
10-17-2008 08:04 AM
As far as I know there are some recommended practices allow you to summarize and simplify your ACE entries:
1)Use contiguous host addresses whenever possible. Aggegrate host statements in ACEs/object-groups into networks.
2)Use 'any' instead of networks, and use networks instead of hosts when possible.
3)Try to simplify object-groups. This can potentially save hundreds of ACEs when the ACLs are expanded.
4)Group together individual port statements into a range.
10-17-2008 12:55 PM
sh access-list | inc hitcnt=0
enter
This will only give the non-matched lines.
dump the results into excel with the ( as a text delimiter. This will clip off the hitcnt=0) 0x15abbe7c from the end of the lines. The drop it into notepad and you can replace "access-list" with "no access-list"
10-17-2008 01:07 PM
Hi,
Actually, that won't work with object groups like I have configured. When you do the show access-list command you get:
access-l YYY line 1 perm...
access-l YYY line 1 perm...
access-l YYY line 1 perm...
access-l YYY line 2 perm...
access-l YYY line 2 perm...
If I try to no out anything but the first line which includes the name of the object groups, I'm going to get an error. And I definitely don't want to delete the entire line because only 1 object in the group may be unused - the rest will be valid.
Thanks, and enjoy your weekend.
Matt
10-18-2008 10:41 PM
For the access-lists you could do it manually like the following.
Firsto do a:
show access-l | inc elements
Then compare it with:
show run access-group
Regards
Farrukh
10-19-2008 02:33 AM
I've done this before and it was VERY painful.
Here is what i did:
1- Use a freeware tool call odumper/ofiller,
written by a Checkpoint engineer to dump
the rules and object into a Checkpoint
SmartCenter
2- In the Checkpoint security, I can use the
"right-click" functions to findout which
objects have NOT been used. This can be
relatively quickly
3- Use Cisco conversion tool to convert
Checkpoint rule back into Pix rules.
Step 1 and 2 worked quite well but step
3 was a big mess especially when you have
a large security policy.
my 2c.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide