topic Re: ASA Object Searches in Network Security

ASA Object Searches

zyang — Tue, 12 Mar 2019 01:56:05 GMT

Is it possible to search via command line what object-groups an object belong to?

Thanks.

ASA Object Searches

Jouni Forss — Tue, 11 Jun 2013 12:47:22 GMT

Hi,

Do you mean that you want to find an "object-group" which has an "object" under it?

I guess there is no direct command for that (that I know of at the moment) but you could use something like this

show run object-group | inc object-group|

Where you replace the with the actual name of the "object"

You will get some useless "object-group" output BUT when you hit the part of output where the actual "object-group" holding the "object" is you will see it clearly.

- Jouni

ASA Object Searches

zyang — Tue, 11 Jun 2013 12:54:32 GMT

For example say I have an object called serverA and it belongs to object-group serverGroup1 and serverGroup2. I would like to do be able to do a search in command line that will show that serverA belongs to those 2 groups. Currently the only way I know of finding out what object-groups an object belongs to, is to show all the contents of every object-group, copy and paste it to notepad and do a search. Either that or through ASDM. But I would prefer a way to do it easily on command line as well.

Re: ASA Object Searches

Jouni Forss — Tue, 11 Jun 2013 13:06:06 GMT

Hi,

The above example should apply to your situation.

It still produces useless output it will be easy to go through wihtout using ANY search functions in any text editor

It will produce the output of all the "object-group" lines in the configuration and it will also show the "object" in between the "object-group"

For example, lets say us we have "object-group network LAN1" to "object-group network LAN20" configured on the ASA and two of them had an "object" called "PC100".

We would use this command

show run object-group | inc object-group|PC100

object-group network LAN1

object-group network LAN2

object-group network LAN3

object-group network LAN4

object-group network LAN5

object-group network LAN6

object-group network LAN7

network-object object PC100

object-group network LAN8

object-group network LAN9

object-group network LAN10

object-group network LAN11

object-group network LAN12

object-group network LAN13

network-object object PC100

object-group network LAN14

object-group network LAN15

object-group network LAN16

object-group network LAN17

object-group network LAN18

object-group network LAN19

object-group network LAN20

As you can see, it would be easy to spot the correct "object-group" from the output

- Jouni

Re: ASA Object Searches

zyang — Tue, 11 Jun 2013 15:02:36 GMT

That actually worked. Thanks!

Though it functions like a poor mans search function.

But I can't complain, it does what I need it to do.

Cisco really should put out a search feature for this.

Thanks again.

Re: ASA Object Searches

zyang — Tue, 11 Jun 2013 15:05:56 GMT

Is there no way to get rid of the extra input?

Also I didn't realize you could pipe and output to another output.

I'm trying to understand how it work.

The first pipe ( | include object-group ) would only include lines that have object-groups in it.

But the next pipe ( | ) would output what ever you put there?

Re: ASA Object Searches

Jouni Forss — Tue, 11 Jun 2013 16:03:31 GMT

Hi,

Its indeed messy output.

But I would still say that it seems to me that the ASA has it way better related to all "show run" command variations than for example Cisco Routers. ASA seems to have "show run" command for almost every aspect of the configuration which I like. And naturally the "show run all" command even shows those default settings that dont normally show on the "show run" output.

The search I did basicly includes line that have either "object-group" or "object" in them. The actual "show run object-group" command is used to limit the output so we dont see all the ACLs that might hold "object" or "object-group" etc.

If you want to view a single "object-group" configuration you can use the command

show run object-group id

Same goes for "object"

show run object id

Would be alot better if you could do searches using both "include" and "exclude" or use grep commands to do the same. There is an option to use grep but its either "grep" or "grep -v" not both.

I am actually sure there are other options to search the configurations but I have never really had the need to go any deeper though I guess it wouldnt really hurt to learn the formats with which you can narrow down the output.

Here is some basic information about filtering the output

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_cli.html#wp1020957

Here is a link to a table in the same document which lists options to narrow down the output

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_objects.html#wpxref23489

- Jouni

Re: ASA Object Searches

gtlnss — Wed, 10 Oct 2018 16:00:40 GMT

Helpful