topic Re: Hit Count Analyzer - FMC 6.6.1 in Network Security

Hit Count Analyzer - FMC 6.6.1

Scott_22 — Wed, 27 Jan 2021 22:46:29 GMT

When I run the hitcount analyzer for an ACP and export it to a CSV, the rules with 0 hit counts do not have a date indicating they were never used. Is this the expected behavior? For some of the rules with 0, I imagine they were used at some point, but I can't tell with the date missing from the result.

Re: Hit Count Analyzer - FMC 6.6.1

balaji.bandi — Wed, 27 Jan 2021 23:38:34 GMT

have you enabled the Log for that ACP, If so please check with the command?

You can also test from FTD :

> show access-control-config

Re: Hit Count Analyzer - FMC 6.6.1

Scott_22 — Thu, 28 Jan 2021 16:02:41 GMT

Yes, logging is enabled at the end of the connection.

Re: Hit Count Analyzer - FMC 6.6.1

balaji.bandi — Thu, 28 Jan 2021 17:22:10 GMT

Can you post the output from command level and GUI to see what is wrong?

Re: Hit Count Analyzer - FMC 6.6.1

Scott_22 — Thu, 28 Jan 2021 20:58:00 GMT

What output are you looking for? When I run the hit count analyzer, there is not an entry in the "last hit time" field for hit counts of 0. The same is true from the CLI.

Re: Hit Count Analyzer - FMC 6.6.1

Scott_22 — Tue, 02 Feb 2021 15:50:53 GMT

Also to note, I have found rules with an incremented hitaount that do not have logging enabled. Are you sure enabling logging pertains to the hit count analyzer?

Re: Hit Count Analyzer - FMC 6.6.1

Marvin Rhoads — Tue, 02 Feb 2021 16:27:02 GMT

Hit counts will increment independent of logging being set. Logging will additionally generate a syslog message.

Hit counts are not retained across a reboot so a zero count is implicitly "since last boot" (or manual clear of the counts).

Reference (from ASA but the same logic applies): https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html#wp3307265190

log [[level ] [interval secs ] | disable | default ]

(Optional) Sets logging options when an ACE matches a packet for network access (an ACL applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated for denied packets. Log options are:

level —A severity level between 0 and 7. The default is 6 (informational). If you change this level for an active ACE, the new level applies to new connections; existing connections continue to be logged at the previous level.
interval secs —The time interval in seconds between syslog messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow from the cache used to collect drop statistics.
disable —Disables all ACE logging.
default —Enables logging to message 106023. This setting is the same as not including the log option.

Re: Hit Count Analyzer - FMC 6.6.1

Scott_22 — Tue, 02 Feb 2021 19:36:27 GMT

Thank you for clarifying! The previous comment was misleading around how logging should be enabled.

Re: Hit Count Analyzer - FMC 6.6.1

balaji.bandi — Tue, 02 Feb 2021 20:12:36 GMT

Apologies - i may have mixed things here, Logging is different and hit count is different.

Hit count based on the ACP policies matched and processed.

@Marvin Rhoads is right and corrected.