Solved: Easy way to detect unused network objects/groups on ASA

Andy White · ‎10-11-2011

Hello,

I find that every 6-12 months I will log on to the ASDM and go to the Network Objects/Groups section and spend ages right clicking on each object and seeing if it is still being used and if it isn't I then delete it. It can take a long time as our config is large, are there any better ways of keeping the ASA update to date?

Thanks

varrao · ‎10-11-2011

HI Andy,

You've got a difficult one here, there's no automated way for it, and it might include tedious overhead. You migt first need to run through the config. The best that I can think of is:

lets say you want to check whether object-group DM_INLINE_24 is being used somewhere or not then do:

show run | inc DM_INLINE_24

If it returns any ACL or nat statements, then it is being used, otherwise not.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎10-11-2011

HI Andy,

You've got a difficult one here, there's no automated way for it, and it might include tedious overhead. You migt first need to run through the config. The best that I can think of is:

lets say you want to check whether object-group DM_INLINE_24 is being used somewhere or not then do:

show run | inc DM_INLINE_24

If it returns any ACL or nat statements, then it is being used, otherwise not.

Thanks,

Varun

Thanks,
Varun Rao

Andy White · ‎10-11-2011

Thanks

dit.cor · ‎02-08-2017

The best way to delete all of not used objects to delete all objects. If the object is used, the ASA displays an error and not delete it.

robdog01 · ‎11-19-2013

Hello,

I know that this is a very old post, however, starting in ASDM 7.1(3), there is a "Not Used" button in the app. Click it and it will provide you list of objects/groups that are not being used in ACLs. You can then choose which objects to delete (they're all checked by default).

As of 7.1(4), however, there is no such feature for protocols/protocol groups.

Hopefully this helps someone - I know that it saved me a lot of time in a few firewall migration projects!

Rob.

jumora · ‎11-19-2013

Very cool!!!!

Value our effort and rate the assistance!

Andy White · ‎11-20-2013

Hello,

Where is this button, I'm now on 7.1.(4) and will find this so useful.

Thanks

raza555 · ‎11-25-2013

Hi,

Please advise that where to locate this button.

Thanks

Marvin Rhoads · ‎11-25-2013

This one was new to me as well. I searched and could not find mention of it in either the release notes or configuration guide.

To find it, go into the "Configuration, Firewall" section and make sure you have turned on "View, Addresses". You should then see the "Not Used" button as shown below (click to enlarge screenshot):

Constantin_Pop83 · ‎02-28-2014

We noticed a issue with using that button:

If the object has a NAT associated with it, using that button will still show the object is not used and will delete the NAT.

Although when doing a right click on the object and "Where used" will show that it's used in a NAT rule.

dmnsrk · ‎03-19-2019

Hi,

Is this problem still exist?

Collin Clark · ‎11-25-2013

One more resource-

http://www.tunnelsup.com/config-cleanup/