01-28-2021 04:35 PM
We worked on cleanup firewall rules on ASA, some acl rules no hit increased over months and show connection also get none, but when we removed the rules impact and caused incident and found most rules related to ssh. any reason can cause it and what's the cleanup steps besides compare hit count and show connection can avoid the impact?
e.g. our rule:
Solved! Go to Solution.
01-29-2021 02:20 PM
ASA cluster reason, all traffic on other node of Cluster.
01-28-2021 05:01 PM
Aside from looking at the ACL hits, you could analyze packet captures. Look at source and destination IP addresses and port numbers. It might be pretty tedious but you would be able to see all the traffic traversing the ASA even if that traffic doesn't show as a hit on any ACL rule. Then once you've identified the traffic that should be allowed, tailor your ACL rules accordingly.
01-28-2021 05:56 PM
thanks, capture is good idea, more reliable then show connection, the weird is the hit count how come didn't increase
01-29-2021 02:20 PM
ASA cluster reason, all traffic on other node of Cluster.
02-01-2021 03:30 PM
this command: cluster exec show access-list
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide