Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1344
Views
0
Helpful
1
Replies

FMC ACL Audit?

Matt26
Level 1
Level 1

‎07-09-2021 12:51 PM

Hi All,

 

Looking to get some insight on the best way to move forward with this. I am looking to do a clean up of our ACLs on our Firepower's through the FMC to see if there are rules that are no longer being used or rules that don't have hits on them. I joined an org and there are over 1300 rules that I have a feeling 90% aren't being used.

 

So far what i've done was logged into the Firepower and did the "show access-control-config" command and I do see all the rules there with the hit counter, I then copied the SSH output to excel and made a conditional format for "rule hit :0" and gave that cell a color. The only problem with this there are some ACL rules that I created that I know are needed but they still show 0 hits, so I'm not sure if it's clearing out the hit counter after a certain time, if it does this may cause inaccurate reporting.

 

My question is, is this a good approach or are there any other ways to see rules that have 0 hits for when the rule was first created? I remember in ASDM on the ASA's it would show rule hit count and last hit, can the FMC do this? not sure why they would get rid of that. 

 

Thank you All!

-Matt

Labels:
0 Helpful
1 Reply 1

lnguyen@meriwest.com
Level 1
Level 1

‎07-09-2021 02:35 PM

Hi,

 

I usually look at the Connection > Events Log on FMC to see which traffic hit with which ACL. You can also use Packet Tracer on FMC to determine which traffic allowed or blocked.

 

thanks

 

Lam Nguyen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card