https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454190#M8300 <BLOCKQUOTE><SPAN>or, just flick the allow all any any to deny and see what breaks</SPAN></BLOCKQUOTE><P>The story of my life. <SPAN class="lia-unicode-emoji" title=":slightly_smiling_face:"><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN> I actually did look up this subject before I asked again hoping that they had added it to the API and I just couldn't find it. I'd bet you it is there but is expensive to execute so they just don't document it.</P> Wed, 22 Nov 2023 15:16:26 GMT james.betts 2023-11-22T15:16:26Z https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454185#M8295 <P>A customer of mine needs to see hit counts on MX rules so that he can eliminate his any-any permit rule after verifying that all legit traffic is covered. We can get a snapshot by looking at the L3 rules with the GUI but we'd like to have several days of data to ensure that we're going to break as few things as possible. getNetworkApplianceFirewallL3FirewallRules tells us what the rules are, but no hit counts. Any suggestions?</P> Tue, 21 Nov 2023 18:51:28 GMT https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454185#M8295 james.betts 2023-11-21T18:51:28Z https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454186#M8296 <P>I would suggest a Syslog server . And analyse that data</P> Tue, 21 Nov 2023 19:03:50 GMT https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454186#M8296 ww^ 2023-11-21T19:03:50Z https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454187#M8297 <P>Hmmm, when using the dashboard, I believe hits are only recorded while you have the page open. I have no idea what the returned value would mean from the API in this context.</P><P>+1 to <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/1890">@jdb1</A> . You will need to use syslog for this.</P> Tue, 21 Nov 2023 19:16:42 GMT https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454187#M8297 Philip D'Ath 2023-11-21T19:16:42Z https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454188#M8298 <P>You'll need to indeed use a syslog server and parse the firewall events in it.<BR />Don't forget to discard the flow_start and flow_end events.<BR />At the end of the firewall events you have a matching statement that should make it obvious which actual rule it is matching. The rule number or name is NOT in the log.<BR /><BR />Once you have filtered out the events you want you only need a linecount to get your counters.</P> Tue, 21 Nov 2023 20:29:20 GMT https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454188#M8298 joey.debra 2023-11-21T20:29:20Z https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454189#M8299 <P>As previously stated set up a syslog server to view live traffic - kiwi syslog do a free trial license for 30 days.</P><P>or, just flick the allow all any any to deny and see what breaks</P> Wed, 22 Nov 2023 09:23:05 GMT https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454189#M8299 MerakiGnome 2023-11-22T09:23:05Z https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454190#M8300 <BLOCKQUOTE><SPAN>or, just flick the allow all any any to deny and see what breaks</SPAN></BLOCKQUOTE><P>The story of my life. <SPAN class="lia-unicode-emoji" title=":slightly_smiling_face:"><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN> I actually did look up this subject before I asked again hoping that they had added it to the API and I just couldn't find it. I'd bet you it is there but is expensive to execute so they just don't document it.</P> Wed, 22 Nov 2023 15:16:26 GMT https://community.cisco.com/t5/network-platform-api/mx-l3-rule-hit-counts/m-p/5454190#M8300 james.betts 2023-11-22T15:16:26Z