Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2562
Views
6
Helpful
1
Replies

Attempt to clean-up ASA - Last rule hit

jlaay-diode
Level 1
Level 1

‎08-26-2016 12:30 AM - edited ‎03-12-2019 01:11 AM

Hi all,

I would like to get an output on when an ACL was hit for the last time.

From within ASDM you can get the date when you hover over the hit count. A bit cumbersome to this manually for all ACLs :(.

However I've not yet found a CLI command that shows that kind of output.

Has anyone a command or (perl) script to accomplish this?

Thanx,

Jaap Laaij

Netherlands

info@diode-networks.nl

2 people had this problem
Labels:
0 Helpful
1 Reply 1

sjhloco
Level 1
Level 1

‎05-05-2021 11:29 AM

Hi,

 

Guessing is probably not needed anymore but yes it can be done. To do it individually is pretty painful, you have to use show access-list all_name brief to to get the unix-time and match the hashes from that with the ACE hash (minus 0x at the start). So for example, first first get the ACEs that have hits from an ACL:

 

HME-ASA-XFW01# show access-list TRUST | ex hitcnt=0|remark|elements

access-list TRUST line 2 extended permit icmp any any echo (hitcnt=749471) 0xbfa73683
access-list TRUST line 4 extended permit icmp any any unreachable (hitcnt=78245) 0x6268d60f
access-list TRUST line 5 extended permit icmp any any time-exceeded (hitcnt=8) 0x769149f2
access-list TRUST line 9 extended permit udp any host 10.10.10.254 eq domain (hitcnt=44695) 0xcb65c37c
access-list TRUST line 13 extended permit ip any object-group LOCAL_NETWORKS (hitcnt=335259) 0x5db22105
  access-list TRUST line 13 extended permit ip any 10.10.0.0 255.255.0.0 (hitcnt=335259) 0x1dcf0891
access-list TRUST line 14 extended permit ip any any (hitcnt=5519961) 0xd647c2aa

 

Now if you run access-list brief for that same ACL it should have the exact same number of ACE entries (not including the unexpanded rule):

 

HME-ASA-XFW01# show access-list TRUST brief
access-list TRUST; 24 elements; name hash: 0x106592f8
bfa73683 00000000 000b6f9f 6091c5b8
6268d60f 00000000 000131a5 6092e013
769149f2 00000000 00000008 603e0bb2
cb65c37c 00000000 0000ae97 6092dced
1dcf0891 5db22105 00051d9b 6091b754
d647c2aa 00000000 00543a7c 6092e0ab

 

The first column is the hash which will match the ACE hash and the last column the unix-time, am not sure what the other columns are. If you put 6091b754 in a converter such as  https://www.epochconverter.com it will give you the human-readable time.

 

Unless you have a very specific use case this isn't really very manageable, I wrote a script a while ago that will produce a XL report of all the last hit times all rules. Nothing has changed much in newer versions so should still work.

https://github.com/sjhloco/asa_acl_report

 

Alternativelythere  is a python package that does a similar thing, although I haven't used it.

https://pypi.org/project/acl-stats/

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card