Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3969
Views
0
Helpful
8
Replies

Hit Count Analyzer - FMC 6.6.1

Go to solution
Scott_22
Level 1
Level 1

‎01-27-2021 02:46 PM - edited ‎01-27-2021 02:46 PM

When I run the hitcount analyzer for an ACP and export it to a CSV, the rules with 0 hit counts do not have a date indicating they were never used. Is this the expected behavior? For some of the rules with 0, I imagine they were used at some point, but I can't tell with the date missing from the result. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-02-2021 08:27 AM

Hit counts will increment independent of logging being set. Logging will additionally generate a syslog message.

Hit counts are not retained across a reboot so a zero count is implicitly "since last boot" (or manual clear of the counts).

Reference (from ASA but the same logic applies): https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html#wp3307265190

 

log [[level ] [interval secs ] | disable | default ]

(Optional) Sets logging options when an ACE matches a packet for network access (an ACL applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated for denied packets. Log options are:

  • level —A severity level between 0 and 7. The default is 6 (informational). If you change this level for an active ACE, the new level applies to new connections; existing connections continue to be logged at the previous level.

  • interval secs —The time interval in seconds between syslog messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow from the cache used to collect drop statistics.

  • disable —Disables all ACE logging.

  • default —Enables logging to message 106023. This setting is the same as not including the log option.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-27-2021 03:37 PM - edited ‎01-27-2021 03:38 PM

have you enabled the Log for that ACP, If so please check with the command?image.png

 

You can also test from FTD :

 

show access-control-config

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Scott_22
Level 1
Level 1
In response to balaji.bandi

‎01-28-2021 08:02 AM

Yes, logging is enabled at the end of the connection. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Scott_22

‎01-28-2021 09:22 AM

Can you post the output from command level and GUI to see what is wrong?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Scott_22
Level 1
Level 1
In response to balaji.bandi

‎01-28-2021 12:58 PM

What output are you looking for? When I run the hit count analyzer, there is not an entry in the "last hit time" field for hit counts of 0. The same is true from the CLI. 

0 Helpful

Go to solution
Scott_22
Level 1
Level 1
In response to Scott_22

‎02-02-2021 07:50 AM

Also to note, I have found rules with an incremented hitaount that do not have logging enabled. Are you sure enabling logging pertains to the hit count analyzer?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-02-2021 08:27 AM

Hit counts will increment independent of logging being set. Logging will additionally generate a syslog message.

Hit counts are not retained across a reboot so a zero count is implicitly "since last boot" (or manual clear of the counts).

Reference (from ASA but the same logic applies): https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html#wp3307265190

 

log [[level ] [interval secs ] | disable | default ]

(Optional) Sets logging options when an ACE matches a packet for network access (an ACL applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated for denied packets. Log options are:

  • level —A severity level between 0 and 7. The default is 6 (informational). If you change this level for an active ACE, the new level applies to new connections; existing connections continue to be logged at the previous level.

  • interval secs —The time interval in seconds between syslog messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow from the cache used to collect drop statistics.

  • disable —Disables all ACE logging.

  • default —Enables logging to message 106023. This setting is the same as not including the log option.
0 Helpful

Go to solution
Scott_22
Level 1
Level 1
In response to Marvin Rhoads

‎02-02-2021 11:36 AM

Thank you for clarifying! The previous comment was misleading around how logging should be enabled.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Scott_22

‎02-02-2021 12:12 PM

Apologies - i may have mixed things here, Logging is different and hit count is different.

Hit count based on the ACP policies matched and processed.

 

@Marvin Rhoads  is right and corrected.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card