Easy way to detect unused

Rolando Valenzuela · ‎10-15-2015

Hello Community!

I would like to clean up an old ASA (5520) which is still in production, so I cannot just wipe the config and start over and I was wondering if there is way to know which object groups are being used and which are not (so I can delete them).

When it comes to ACL, I will uses Notepadd++ and an User Defined Language to help me with the reading.

I know that it is going to take time but I want to do it :) if you have any suggestions or additional tools that can help me I want to hear about them.

Thanks!

Rolando Valenzuela.

Akshay Rastogi · ‎10-15-2015

Hi Ronaldo,

You could use the 'show access-list' output and see if there is hit counts. whichever is not having you could remove that.

Regards,

Akshay Rastogi

Rolando Valenzuela · ‎10-15-2015

I think about that, but I would like a easier way to do it hahahahah since the FW has like 100+ object group and each ACL is more than 300 lines.

The other idea I came with, is that I can make a list of all the object-groups that are in all the ACLs and check which object groups are not in the ACL, at least is a start!

Akshay Rastogi · ‎10-15-2015

Hi Rolando,

In any case if this any of the object-group in any acl gets a hit then you are not gonna remove that.

You could try this as well:

"sh access-list | in object|object-group"

Regards,

Akshay Rastogi

Charger1129 · ‎10-15-2015

Might be easier too to try using the ASDM. The GUI isn't too bad for seeing the hit counts on the object groups. You can also disable ACLs temporarily before removing them from there. That way if any issues arise, you can easily re-enable without deleting them completely from the command line.

Henrik Grankvist · ‎10-15-2015

Hi

If an object or object-group is referenced in an ACL you can't remove that object/object-group. It will say that the object/object-group is referenced and can't be removed. So just try and remove them and you will notice which are used and which are not used.

Rolando Valenzuela · ‎10-15-2015

Kind of risky, dont you think? :/

If there is not an easy way, I will one one by one :( hahahahha

Marvin Rhoads · ‎10-15-2015

Use ASDM. Just right click on the object groups in turn and select "where used".

It will pop up a window showing you the configuration bits that reference the highlighted object group.

Karsten Iwen · ‎10-17-2015

I have no idea what can be done with the "User Defined Language", but things like these can be handled with a little bit of scripting. You need:

a file with all the objects/object-groups (only the names)
a file with the ACLs or the config that you want to check
and of course a system that can run scripts like these

#!/bin/bash

while read line
do
    echo ""
    echo "$line": 
    echo "===================="
    grep -c "$line" $2
done < "$1"

This script can be called

./script object-file.txt acl-file.txt

and will give you a line-count for the usage of the object/object-group names.

I used it once to clean up a FWSM-config with about 20k of ACEs. Probably there are more elegant ways to solve that, but it worked quite well.

Rolando Valenzuela · ‎10-18-2015

Interesting, I will try this and with SolarWinds Firewall Security Manager per Martin's advice.

Marvin Rhoads · ‎10-17-2015

You could also try a trial version (free) of SolarWinds Firewall Security Manager (FSM). It will analyze your configuration for unused objects and object groups (among many other things).

Peter Koltl · ‎03-21-2017

Easy way to detect unused network objects/groups on ASA

Delete unused object-groups