Solved: Re: CSM Flex Config - HitCnt reset via Flexconfig and $Variable

Alfred Berberich · ‎10-29-2010

Hi

I want to clear all Hitcnt on all Firewall via Flexconfig from CSM .

Can I use $Variable at FlexConfig to transfer Value from / to other Firewall command ?

e.g.

I type in the command

# sh access-list | grep element

- to find out the available access-lists on the firewall

Than I transfer the output e.g. "inside_access_in" to a $variable and use this variable in the command to clear the HitCnt : clear access-list "$variable" counters

Any idea ?

THX for Help

Panos Kampanakis · ‎11-01-2010

Answers following:

1. Yes, after you assign the FlexConfig you can right click on the device in CSM and do a "Preview Config" and that will show you the commands that are doing to be pushed at Deployment.

2. The system variables are not editable. They represent thing you already have configured on the device. You can create variable in the Flex config that you can change.

3.You can 2 variable for in and out ACLs. They are SYS_FW_ACL_IN_NAME and. SYS_FW_ACL_OUT_NAME. Look at http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html#wp939447

So you can clear counters using both.

Please mark the thread as answered if it is.

PK

View solution in original post

Panos Kampanakis · ‎10-29-2010

You can do what you want, but not the way you are trying. You can't assign variables by getting the output of a command.

You can use the CSM variable SYS_FW_ACL_IN_NAME to find the ACLs applied to an interface and then you can do the "clear access-list xxx counter".

Here is the guide that explains the FlexConfigs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html

I would suggest to use one predefined FlexConfig like the ASA_add_ACEs to see how it uses the pre-defined variables and than it will be easy to do.

Let us know that it solved your issue.

PK

Alfred Berberich · ‎11-01-2010

Hi

THX for help, it works

three questions:

1. Is there any way to test the flexconfig and see the output before deploy ? ( preview maybe but how ?)

2. Any way the edit the variable: sys_fw_acl_in_name or other variable ?

3. if I have more then "in" and "out" direction e.g.

access-list CSM_FW_ACL_outside; 1596 elements
access-list CSM_FW_ACL_inside; 9222 elements
access-list CSM_FW_ACL_dmz4; 538 elements
access-list CSM_FW_ACL_dmz3; 2762 elements
access-list CSM_FW_ACL_dmz2; 1724 elements
access-list CSM_FW_ACL_dmz1; 2536 elements

Do I have to create a new Variable or how to clear to counters for these interfaces ?

THX for help

Panos Kampanakis · ‎11-01-2010