Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
0
Helpful
1
Replies

How find all un-used/in-active ASA rules

bghobadi2
Level 1
Level 1

‎07-31-2012 08:50 AM - edited ‎03-11-2019 04:36 PM

Hello,

I am tasked to identify all un-used, in-active, and idle rules in Cisco ASA firewalls.

     I have access to CSM. But in CSM, I do not know how create such a report. I would be grateful if someone can help to create such a report. 

    

     If CSM does not support such a report, I will be grateful if someone can help to use CLI to figure out such rules.

thanks in advance

Bo              

Labels:
0 Helpful
1 Reply 1

nkarthikeyan
Level 7
Level 7

‎07-31-2012 11:04 AM

Hi,

Do u mean the ACL rules which is inactive/idle for a long time????

If it is ACL rules then sh access-list | in (hitcnt=0) and check. But this may not conclude that it is invalid. Because the endusers uses that flow on a rare cases also. Be sure on this one.

for interface ACL's you can check sh access-group and check how many ACL's configured and used on interfaces.

If it is used for VPN or NAT then you need to check NAT configurations and VPN configurations with the rule name.

Or best way you can take the sh run and find ACL name which is used or not used. like if it is an valid ACL then apart from the ACL lines it should be mapped somewhere either in access-group/NAT/VPN configs.

By

Karthik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card