Hello everyone,

Currently, we want to optimize our ACLs rules on the ASA with good naming.
A week after the injection of the new rules above the old ones, we have extracted the logs.

access-list DMZ:eth2 line 1 extended permit object-group gs-web object n-DMZ object obj-10.1.1.0 (hitcnt=1083198) 0x78eec858
access-list DMZ:eth2 line 1 extended permit tcp 10.2.0.0 255.255.0.0 10.1.1.0 255.255.255.0 eq www (hitcnt=0) 0x1e6338c1
access-list DMZ:eth2 line 1 extended permit tcp 10.2.0.0 255.255.0.0 10.1.1.0 255.255.255.0 eq https (hitcnt=1083198) 0x4a091cb8
access-list DMZ:eth2 line 3 extended permit udp object-group gn-front object-group gn-LDAP eq ntp (hitcnt=479) 0x2da6f6d1
access-list DMZ:eth2 line 3 extended permit udp host 10.2.1.17 host 10.1.1.65 eq ntp (hitcnt=64) 0xf3fed3e5
access-list DMZ:eth2 line 3 extended permit udp host 10.2.1.17 host 10.1.1.45 eq ntp (hitcnt=64) 0x4c610445
access-list DMZ:eth2 line 3 extended permit udp host 10.2.1.18 host 10.1.1.65 eq ntp (hitcnt=351) 0x39136899
access-list DMZ:eth2 line 3 extended permit udp host 10.2.1.18 host 10.1.1.45 eq ntp (hitcnt=0) 0x7cd315c0

There is here the object and object groups

object network n-DMZ
  subnet 10.2.0.0 255.255.0.0

object network GUA
  host 10.1.1.65
object network KRA
  host 10.1.1.45

object-group network gn-LDAP
  network-object object GUA
  network-object object KRA

object-group network gn-front
network-object object obj-10.2.1.17
network-object object obj-10.2.1.18

object-group service gs-annuaire
 service-object tcp-udp destination eq domain
 service-object tcp destination eq ldap

object-group service gs-web
 service-object tcp destination eq www
 service-object tcp destination eq https

My question is,

1- Why the "Hitcnt" number is the same on line 1 ACL

2- The "Hitcnt" number must be equal (=0) on the old ACL on line 3.

Thanks a lot.