topic Re: Re writing ACL with Log keyword in Network Security

Re writing ACL with Log keyword

CSCO12053961 — Tue, 13 Oct 2020 05:25:16 GMT

Hi Team,

I am looking for some convenient option to add a log statement to the existing access-list on multi-context ASA running 9.14(1), the ACL count is more than 1000.

I figured out 2 options :

1. Using ASDM, which has the limitation of one ACL at a time.

2. Re-adding all ACL via CLI, any other options may save some effort.

Re: Re writing ACL with Log keyword

balaji.bandi — Tue, 13 Oct 2020 07:07:16 GMT

The second option is reasonable. if you can do some automation that will do the job. do this task offline and publish online to device using script.

Re: Re writing ACL with Log keyword

Mohammed al Baqari — Tue, 13 Oct 2020 08:00:42 GMT

Hi, you might have a problem with cpu if this acl is matched at high rate
(hence the restriction on asdm). If you want to match specific line, create
an acl matching your specific 5-tuples with log option. This is safe
approach. Your approach seems very risky to add for acl with more than
1000 lines. Most likely will create a performance problem.

***** please remember to rate useful posts

***** please remember to rate useful posts

Re: Re writing ACL with Log keyword

CSCO12053961 — Fri, 16 Oct 2020 03:48:19 GMT

Hi Balaji,

Thank you.

I am very new to automation, could you please suggest to me any document or example article.

Re: Re writing ACL with Log keyword

CSCO12053961 — Fri, 16 Oct 2020 03:56:18 GMT

Hi Baqari,

Thank you.

is your advice is to create a new ACL to only math the specific traffic, rather than logging all?

For CPU we have 64 core CPU firepower appliance in place and the current load is about 5% max, logging all ACL is a requirement for firewall rule analysis tool (AlgoSec), So I have to log all ACL, so unused or less used can be revealed or caught.

Re: Re writing ACL with Log keyword

Marius Gunnerud — Fri, 16 Oct 2020 08:00:03 GMT

Although I agree with Mohammed that you should be careful when enabling logging on so many rules, especially on the ASA, you could add the log keyword using a simple python script. First pull the ACL configuration from the ASA and save it in a file. Then run the following script to add the log keyword at the end of each entry. Be sure to change the path to where the files are located to match the actual location you have saved them to:

#Read the original ACL file and add the entries into a list

def read_file():

with open('D:\\Python\\Network Programability\\Files\\ASA_ACL.txt', 'r') as file_object:
file_info_list = []
for line in file_object:
file_info_list.append(line.strip())
return file_info_list

#Loop through the newly created list adding the log keyword at the end of the ACL and write to a new file

with open('D:\\Python\\Network Programability\\Files\\ASA_ACL_new.txt', 'w') as write_file:
file_object = read_file()

for line in file_object:
write_file.write(f"{line} log\n")

You can obviously script the process of adding the lines back to the ASA. However, I prefer to do that part as a manual job as I can then react to any errors or issues that might pop up while adding them.