10-15-2015 08:37 AM - edited 03-11-2019 11:45 PM
Hello Community!
I would like to clean up an old ASA (5520) which is still in production, so I cannot just wipe the config and start over and I was wondering if there is way to know which object groups are being used and which are not (so I can delete them).
When it comes to ACL, I will uses Notepadd++ and an User Defined Language to help me with the reading.
I know that it is going to take time but I want to do it :) if you have any suggestions or additional tools that can help me I want to hear about them.
Thanks!
Rolando Valenzuela.
10-15-2015 11:14 AM
Hi Ronaldo,
You could use the 'show access-list' output and see if there is hit counts. whichever is not having you could remove that.
Regards,
Akshay Rastogi
10-15-2015 12:09 PM
I think about that, but I would like a easier way to do it hahahahah since the FW has like 100+ object group and each ACL is more than 300 lines.
The other idea I came with, is that I can make a list of all the object-groups that are in all the ACLs and check which object groups are not in the ACL, at least is a start!
10-15-2015 01:08 PM
Hi Rolando,
In any case if this any of the object-group in any acl gets a hit then you are not gonna remove that.
You could try this as well:
"sh access-list | in object|object-group"
Regards,
Akshay Rastogi
10-15-2015 04:53 PM
Might be easier too to try using the ASDM. The GUI isn't too bad for seeing the hit counts on the object groups. You can also disable ACLs temporarily before removing them from there. That way if any issues arise, you can easily re-enable without deleting them completely from the command line.
10-15-2015 01:12 PM
Hi
If an object or object-group is referenced in an ACL you can't remove that object/object-group. It will say that the object/object-group is referenced and can't be removed. So just try and remove them and you will notice which are used and which are not used.
10-15-2015 03:06 PM
Kind of risky, dont you think? :/
If there is not an easy way, I will one one by one :( hahahahha
10-15-2015 09:25 PM
Use ASDM. Just right click on the object groups in turn and select "where used".
It will pop up a window showing you the configuration bits that reference the highlighted object group.
10-17-2015 04:13 PM
I have no idea what can be done with the "User Defined Language", but things like these can be handled with a little bit of scripting. You need:
#!/bin/bash while read line do echo "" echo "$line": echo "====================" grep -c "$line" $2 done < "$1"
This script can be called
./script object-file.txt acl-file.txt
and will give you a line-count for the usage of the object/object-group names.
I used it once to clean up a FWSM-config with about 20k of ACEs. Probably there are more elegant ways to solve that, but it worked quite well.
10-18-2015 03:19 PM
Interesting, I will try this and with SolarWinds Firewall Security Manager per Martin's advice.
10-17-2015 07:28 PM
You could also try a trial version (free) of SolarWinds Firewall Security Manager (FSM). It will analyze your configuration for unused objects and object groups (among many other things).
03-21-2017 03:08 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide