cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


9627
Views
35
Helpful
11
Replies
Explorer

Easy way to detect unused network objects/groups on ASA

Hello,

I find that every 6-12 months I will log on to the ASDM and go to the Network Objects/Groups section and spend ages right clicking on each object and seeing if it is still being used and if it isn't I then delete it.  It can take a long time as our config is large, are there any better ways of keeping the ASA update to date?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Engager

Easy way to detect unused network objects/groups on ASA

HI Andy,

You've got a difficult one here, there's no automated way for it, and it might include tedious overhead. You migt first need to run through the config. The best that I can think of is:

lets say you want to check whether object-group DM_INLINE_24 is being used somewhere or not then do:

show run | inc DM_INLINE_24

If it returns any ACL or nat statements, then it is being used, otherwise not.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
11 REPLIES 11
Engager

Easy way to detect unused network objects/groups on ASA

HI Andy,

You've got a difficult one here, there's no automated way for it, and it might include tedious overhead. You migt first need to run through the config. The best that I can think of is:

lets say you want to check whether object-group DM_INLINE_24 is being used somewhere or not then do:

show run | inc DM_INLINE_24

If it returns any ACL or nat statements, then it is being used, otherwise not.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Explorer

Easy way to detect unused network objects/groups on ASA

Thanks

Beginner

The best way to delete all of

The best way to delete all of not used objects to delete all objects. If the object is used, the ASA displays an error and not delete it.

Beginner

Easy way to detect unused network objects/groups on ASA

Hello,

I know that this is a very old post, however, starting in ASDM 7.1(3), there is a "Not Used" button in the app.  Click it and it will provide you list of objects/groups that are not being used in ACLs.  You can then choose which objects to delete (they're all checked by default).

As of 7.1(4), however, there is no such feature for protocols/protocol groups.

Hopefully this helps someone - I know that it saved me a lot of time in a few firewall migration projects!

Rob.

Rising star

Easy way to detect unused network objects/groups on ASA

Very cool!!!!

Value our effort and rate the assistance!
Explorer

Easy way to detect unused network objects/groups on ASA

Hello,

Where is this button, I'm now on 7.1.(4) and will find this so useful.

Thanks

Beginner

Easy way to detect unused network objects/groups on ASA

Hi,

Please advise that where to locate this button.

Thanks

Hall of Fame Master

Easy way to detect unused network objects/groups on ASA

This one was new to me as well. I searched and could not find mention of it in either the release notes or configuration guide.

To find it, go into the "Configuration, Firewall" section and make sure you have turned on "View, Addresses". You should then see the "Not Used" button as shown below (click to enlarge screenshot):

Easy way to detect unused network objects/groups on ASA

We noticed a issue with using that button:

   
    If the object has a NAT associated with it, using that button will still show the object is not used and will delete the NAT.

Although when doing a right click on the object and "Where used" will show that it's used in a NAT rule.

Highlighted
Beginner

Re: Easy way to detect unused network objects/groups on ASA

Hi, 

Is this problem still exist?

Advisor

Easy way to detect unused network objects/groups on ASA