Firepower

Kepler · ‎02-02-2023

Hi guys,

I have FPR 1140 with 1303 active rules :((
I need to optimize (delete not used old rules) it.

As you can see on the screen, there are no options like: "active sessions", "hit counts", "first used" or "last used".
so, can you please tell me how can I do this job? What is best practice?

Thank you.

Karsten Iwen · ‎02-02-2023

You can see the hit-count on the FTD-CLI with the command

show access-control-config

I assume that you run a quite old software, when you update to 7.2 you can do this (and more) on the FMC itself.

Chess Norris · ‎02-02-2023

There is also another option for older FMC version using a custom workflow

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212330-firepower-management-center-display-acc.html

However I think the option to display hitcounts directly from the ACP has been around for some time now. They are mention it in the release notes here for version 6.4

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/getting_started_with_access_control_policies.html

Look for this button in your ACP

/Chess

Marius Gunnerud · ‎02-02-2023

There should also be an API call that you can do to get the hitcount of rules

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/api/REST/firepower_management_center_rest_api_quick_start_guide_70/Objects_In_The_REST_API.html#hitcounts_put

--
Please remember to select a correct answer and rate helpful posts