topic Hi Ronaldo,You could use the in Network Security

Delete unused object-groups

Rolando Valenzuela — Tue, 12 Mar 2019 06:45:17 GMT

Hello Community!

I would like to clean up an old ASA (5520) which is still in production, so I cannot just wipe the config and start over and I was wondering if there is way to know which object groups are being used and which are not (so I can delete them).

When it comes to ACL, I will uses Notepadd++ and an User Defined Language to help me with the reading.

I know that it is going to take time but I want to do it 🙂 if you have any suggestions or additional tools that can help me I want to hear about them.

Thanks!

Rolando Valenzuela.

Hi Ronaldo,You could use the

Akshay Rastogi — Thu, 15 Oct 2015 18:14:32 GMT

Hi Ronaldo,

You could use the 'show access-list' output and see if there is hit counts. whichever is not having you could remove that.

Regards,

Akshay Rastogi

I think about that, but I

Rolando Valenzuela — Thu, 15 Oct 2015 19:09:21 GMT

I think about that, but I would like a easier way to do it hahahahah since the FW has like 100+ object group and each ACL is more than 300 lines.

The other idea I came with, is that I can make a list of all the object-groups that are in all the ACLs and check which object groups are not in the ACL, at least is a start!

Hi Rolando,In any case if

Akshay Rastogi — Thu, 15 Oct 2015 20:08:22 GMT

Hi Rolando,

In any case if this any of the object-group in any acl gets a hit then you are not gonna remove that.

You could try this as well:

"sh access-list | in object|object-group"

Regards,

Akshay Rastogi

HiIf an object or object

Henrik Grankvist — Thu, 15 Oct 2015 20:12:19 GMT

If an object or object-group is referenced in an ACL you can't remove that object/object-group. It will say that the object/object-group is referenced and can't be removed. So just try and remove them and you will notice which are used and which are not used.

Kind of risky, dont you think

Rolando Valenzuela — Thu, 15 Oct 2015 22:06:55 GMT

Kind of risky, dont you think? 😕

If there is not an easy way, I will one one by one 😞 hahahahha

Might be easier too to try

Charger1129 — Thu, 15 Oct 2015 23:53:28 GMT

Might be easier too to try using the ASDM. The GUI isn't too bad for seeing the hit counts on the object groups. You can also disable ACLs temporarily before removing them from there. That way if any issues arise, you can easily re-enable without deleting them completely from the command line.

Use ASDM. Just right click on

Marvin Rhoads — Fri, 16 Oct 2015 04:25:40 GMT

Use ASDM. Just right click on the object groups in turn and select "where used".

It will pop up a window showing you the configuration bits that reference the highlighted object group.

I have no idea what can be

Karsten Iwen — Sat, 17 Oct 2015 23:13:39 GMT

I have no idea what can be done with the "User Defined Language", but things like these can be handled with a little bit of scripting. You need:

a file with all the objects/object-groups (only the names)
a file with the ACLs or the config that you want to check
and of course a system that can run scripts like these

#!/bin/bash

while read line
do
    echo ""
    echo "$line": 
    echo "===================="
    grep -c "$line" $2
done < "$1"

This script can be called

./script object-file.txt acl-file.txt

and will give you a line-count for the usage of the object/object-group names.

I used it once to clean up a FWSM-config with about 20k of ACEs. Probably there are more elegant ways to solve that, but it worked quite well.

You could also try a trial

Marvin Rhoads — Sun, 18 Oct 2015 02:28:35 GMT

You could also try a trial version (free) of SolarWinds Firewall Security Manager (FSM). It will analyze your configuration for unused objects and object groups (among many other things).

Interesting, I will try this

Rolando Valenzuela — Sun, 18 Oct 2015 22:19:27 GMT

Interesting, I will try this and with SolarWinds Firewall Security Manager per Martin's advice.

Easy way to detect unused

Peter Koltl — Tue, 21 Mar 2017 10:08:50 GMT

Easy way to detect unused network objects/groups on ASA