08-26-2016 12:30 AM - edited 03-12-2019 01:11 AM
Hi all,
I would like to get an output on when an ACL was hit for the last time.
From within ASDM you can get the date when you hover over the hit count. A bit cumbersome to this manually for all ACLs :(.
However I've not yet found a CLI command that shows that kind of output.
Has anyone a command or (perl) script to accomplish this?
Thanx,
Jaap Laaij
Netherlands
info@diode-networks.nl
05-05-2021 11:29 AM
Hi,
Guessing is probably not needed anymore but yes it can be done. To do it individually is pretty painful, you have to use show access-list all_name brief to to get the unix-time and match the hashes from that with the ACE hash (minus 0x at the start). So for example, first first get the ACEs that have hits from an ACL:
HME-ASA-XFW01# show access-list TRUST | ex hitcnt=0|remark|elements
access-list TRUST line 2 extended permit icmp any any echo (hitcnt=749471) 0xbfa73683
access-list TRUST line 4 extended permit icmp any any unreachable (hitcnt=78245) 0x6268d60f
access-list TRUST line 5 extended permit icmp any any time-exceeded (hitcnt=8) 0x769149f2
access-list TRUST line 9 extended permit udp any host 10.10.10.254 eq domain (hitcnt=44695) 0xcb65c37c
access-list TRUST line 13 extended permit ip any object-group LOCAL_NETWORKS (hitcnt=335259) 0x5db22105
access-list TRUST line 13 extended permit ip any 10.10.0.0 255.255.0.0 (hitcnt=335259) 0x1dcf0891
access-list TRUST line 14 extended permit ip any any (hitcnt=5519961) 0xd647c2aa
Now if you run access-list brief for that same ACL it should have the exact same number of ACE entries (not including the unexpanded rule):
HME-ASA-XFW01# show access-list TRUST brief
access-list TRUST; 24 elements; name hash: 0x106592f8
bfa73683 00000000 000b6f9f 6091c5b8
6268d60f 00000000 000131a5 6092e013
769149f2 00000000 00000008 603e0bb2
cb65c37c 00000000 0000ae97 6092dced
1dcf0891 5db22105 00051d9b 6091b754
d647c2aa 00000000 00543a7c 6092e0ab
The first column is the hash which will match the ACE hash and the last column the unix-time, am not sure what the other columns are. If you put 6091b754 in a converter such as https://www.epochconverter.com it will give you the human-readable time.
Unless you have a very specific use case this isn't really very manageable, I wrote a script a while ago that will produce a XL report of all the last hit times all rules. Nothing has changed much in newer versions so should still work.
https://github.com/sjhloco/asa_acl_report
Alternativelythere is a python package that does a similar thing, although I haven't used it.
https://pypi.org/project/acl-stats/
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide