Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
3
Helpful
3
Replies

Inactive ACLs in PIX/ASA

kotrade
Level 1
Level 1

‎03-25-2009 03:23 PM

Hi Everyone,

I have 30 Cisco PIX and ASA firewalls. Each Interface has ACLs applied with hundreds of Access Control entries.

I would like to know which ACE are inactive for let say last thirty days and should be removed. Any help?

Additionally Any automated tool for that which can do this job and report which ACE are lying in configuration and not getting any hits and should be removed.

Thanks.

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎03-26-2009 07:26 AM

The only way I know of (and have done) is to clear the ACL counters, wait 30 days, and remove the ones with no hit counts.

kotrade
Level 1
Level 1
In response to Collin Clark

‎03-26-2009 08:08 AM

Thanks. Any direction on software/tool to examines thousands of ACE on PIX/ASA Firewall?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to kotrade

‎03-26-2009 08:15 AM

We've only looked at one and it was too expensive.

http://www.skyboxsecurity.com/?CategoryID=163

A google search of "Firewall rule audit" comes up with a few more links.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card