topic Re: hit counts against object group objects in Network Security

hit counts against object group objects

Kevin Melton — Mon, 11 Mar 2019 13:52:15 GMT

When the command "sho access-list" is performed, it allows the admin to see what hit counts have occured against each line within an Access-list statement. However it does not show a hit count with reference to object groups in the ACL.

How can one display the hit counts for the items in the object group(s)?

Thanks

Re: hit counts against object group objects

Matthew Warrick — Thu, 02 Oct 2008 17:50:17 GMT

sh run access-list "name" will display the the access-list as it exists in the config.

sh access-list "name" will display the full access list including the exploded object-groups and includes the line number they correspond to in the ACL.

For example, if line 13 has an object group in it... when you do sh access-l "name" you will see multiple instance of "line 13" with a "hitcnt=X" at the end of each object group entry.

Like such:

access-list outside_acl line 13 extended permit tcp object-group XXX_Ent_Monitoring object-group Ent_Monitoring eq 17000 0xd22e53d4

access-list outside_acl line 13 extended permit tcp host 10.182.31.60 host 172.19.6.91 eq 17000 (hitcnt=0) 0xf48c6831

access-list outside_acl line 13 extended permit tcp host 10.182.31.60 host 172.19.6.92 eq 17000 (hitcnt=0) 0x569de0fe

access-list outside_acl line 13 extended permit tcp host 10.183.31.60 host 172.19.6.91 eq 17000 (hitcnt=0) 0xaece0fd5

access-list outside_acl line 13 extended permit tcp host 10.183.31.60 host 172.19.6.92 eq 17000 (hitcnt=0) 0xa22933b1

access-list outside_acl line 13 extended permit tcp host 10.184.31.60 host 172.19.6.91 eq 17000 (hitcnt=0) 0x34463c69

access-list outside_acl line 13 extended permit tcp host 10.184.31.60 host 172.19.6.92 eq 17000 (hitcnt=0) 0x09b103ca

access-list outside_acl line 13 extended permit tcp host 10.181.31.60 host 172.19.6.91 eq 17000 (hitcnt=0) 0xc1f77cfb

access-list outside_acl line 13 extended permit tcp host 10.181.31.60 host 172.19.6.92 eq 17000 (hitcnt=0) 0xc97881bb

access-list outside_acl line 13 extended permit tcp host 10.186.31.14 host 172.19.6.91 eq 17000 (hitcnt=0) 0xf52becd4

access-list outside_acl line 13 extended permit tcp host 10.186.31.14 host 172.19.6.92 eq 17000 (hitcnt=0) 0x6fa023ee

access-list outside_acl line 13 extended permit tcp host 10.186.31.17 host 172.19.6.91 eq 17000 (hitcnt=0) 0x23efa629

access-list outside_acl line 13 extended permit tcp host 10.186.31.17 host 172.19.6.92 eq 17000 (hitcnt=0) 0xf1cae94e

Re: hit counts against object group objects

whistleblower14 — Fri, 30 Mar 2018 19:48:11 GMT

Hi Guys,

I´d like to expand the question... I`m using in an ACL on an IOS-Device (15.5.3) an object-group Service in the ACE - but in comparison to an ASA when issuing the "Show ip access-list" Output, not each Service Statement is showing up! Is there something I`ve done wrong or I´ve forgotten in my config? OR is this not possible at all?!

e.g.

IOS:

object-group service OBJ-SERVICE_TEST-IOS

tcp-udp eq 102

ip access-list extended ACL_TEST-IOS

permit object-group OBJ-SERVICE_TEST-IOS any any

IOS#sh ip access-lists ACL_TEST-IOS

Extended IP access list ACL_TEST-IOS

10 permit object-group OBJ-SERVICE_TEST-IOS any any (10 matches)

+++ ONLY ONE LINE

ASA:

object-group service OBJ-SERVICE_TEST-ASA tcp-udp

port-object eq 102

access-list TEST_ACL-ASA extended permit object-group OBJ-SERVICE_TEST-ASA any4 any4

ASA# sh access-list

access-list TEST_ACL-ASA line 1 extended permit object-group OBJ-SERVICE_TEST-ASA any4 any4 (hitcnt=10)

access-list TEST_ACL-ASA line 1 extended permit tcp any4 any4 eq 102 (hitcnt=5)

access-list TEST_ACL-ASA line 1 extended permit udp any4 any4 eq 102 (hitcnt=5)

+++ AN ENTRY ALSO FOR EACH SERVICE - TCP/UDP +++

gr, Dan