topic Easy way to detect unused network objects/groups on ASA in Network Security

Easy way to detect unused network objects/groups on ASA

Andy White — Mon, 11 Mar 2019 21:36:25 GMT

Hello,

I find that every 6-12 months I will log on to the ASDM and go to the Network Objects/Groups section and spend ages right clicking on each object and seeing if it is still being used and if it isn't I then delete it. It can take a long time as our config is large, are there any better ways of keeping the ASA update to date?

Thanks

Easy way to detect unused network objects/groups on ASA

varrao — Tue, 11 Oct 2011 13:41:48 GMT

HI Andy,

You've got a difficult one here, there's no automated way for it, and it might include tedious overhead. You migt first need to run through the config. The best that I can think of is:

lets say you want to check whether object-group DM_INLINE_24 is being used somewhere or not then do:

show run | inc DM_INLINE_24

If it returns any ACL or nat statements, then it is being used, otherwise not.

Thanks,

Varun

Easy way to detect unused network objects/groups on ASA

Andy White — Tue, 11 Oct 2011 13:43:53 GMT

Thanks

Easy way to detect unused network objects/groups on ASA

robdog01 — Tue, 19 Nov 2013 22:13:50 GMT

Hello,

I know that this is a very old post, however, starting in ASDM 7.1(3), there is a "Not Used" button in the app. Click it and it will provide you list of objects/groups that are not being used in ACLs. You can then choose which objects to delete (they're all checked by default).

As of 7.1(4), however, there is no such feature for protocols/protocol groups.

Hopefully this helps someone - I know that it saved me a lot of time in a few firewall migration projects!

Rob.

Easy way to detect unused network objects/groups on ASA

jumora — Tue, 19 Nov 2013 22:52:02 GMT

Very cool!!!!

Easy way to detect unused network objects/groups on ASA

Andy White — Wed, 20 Nov 2013 09:10:34 GMT

Hello,

Where is this button, I'm now on 7.1.(4) and will find this so useful.

Thanks

Easy way to detect unused network objects/groups on ASA

raza555 — Mon, 25 Nov 2013 21:58:16 GMT

Hi,

Please advise that where to locate this button.

Thanks

Easy way to detect unused network objects/groups on ASA

Marvin Rhoads — Mon, 25 Nov 2013 23:10:26 GMT

This one was new to me as well. I searched and could not find mention of it in either the release notes or configuration guide.

To find it, go into the "Configuration, Firewall" section and make sure you have turned on "View, Addresses". You should then see the "Not Used" button as shown below (click to enlarge screenshot):

Easy way to detect unused network objects/groups on ASA

Collin Clark — Tue, 26 Nov 2013 03:57:16 GMT

One more resource-

http://www.tunnelsup.com/config-cleanup/

Easy way to detect unused network objects/groups on ASA

Constantin_Pop83 — Fri, 28 Feb 2014 20:19:07 GMT

We noticed a issue with using that button:

If the object has a NAT associated with it, using that button will still show the object is not used and will delete the NAT.

Although when doing a right click on the object and "Where used" will show that it's used in a NAT rule.

The best way to delete all of

dit.cor — Wed, 08 Feb 2017 08:30:52 GMT

The best way to delete all of not used objects to delete all objects. If the object is used, the ASA displays an error and not delete it.

Re: Easy way to detect unused network objects/groups on ASA

dmnsrk — Tue, 19 Mar 2019 10:02:57 GMT

Hi,

Is this problem still exist?