Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Unused rules tracking in PIX


I have PIX 535 and using ACLs for allowing traffic. I need to clean up the rule base. I would like to know how to fetch a report of Unused rules for long time?

Also when a traffic is being allowed, I want to know through which rule number its being allowed?

Please let me know how to get the above things done.

Thanks & Regards,

Lenin. S


Re: Unused rules tracking in PIX


You can simply do this the old way which is   looking at  your access list hit count.   Depending how big is your organization on how many firewalls you have to do this clean up  will depend on the method  you use.  If  you are talking about one firewall do it the manual inexpensive way, which is   " show access-list  "  and take  a base line perpahs every other day or once per week of ACLs hit counts.     If may firewalls  then you can look for 3rd party software out there to do it for you.

In addition:

You can reset the ACL counters like this, to sort of create a baseline of your acl counters:

#clear access-list   counters

then you can  use   " show access-list "   to see hit counts   ,   for the ones that there is no hit counts say for a week or two  those are targeted to investigate  before you remove. And when removing  always  save a copy for backup in case you need to revert.



New Member

Re: Unused rules tracking in PIX

Thanks a lot. Jorge. I worked out for me your idea.

I would like to know one more thing.

Only denied logs are getting logged in my syslog server now. I would like to save the allowed logs also, for the forensics later. How should I enable that.

Is enabiling log in evey line of access-list must for this?

CreatePlease to create content