10-30-2023 08:11 AM
Good afternoon,
I currently have a farm of ASA Firewalls (20 Device), and I need to perform the following tasks via CLI:
1st Be able to list all access lists with a counter of 0 that are not being used.
2nd From that filtered list with all those access lists created with that COUNTER 0 argument and via CLI through a Script or command routine, disable them mainly to eliminate them after a while.
It is possible that someone knows a routine that could make this job easier for me.
NOTE: Use the command show access-list | I access.*hitcnt=0 but this command does not generalize the access lists and in exchange it gives me a granular list for each hit 0 it finds.
I thank you through your experience for any recommendations to be able to do this task.
Thank you.
Harwin M Valero
09-30-2024 09:16 AM
To achieve your objectives, I recommend the following approach based on your requirements:
1. **List all access lists with a hit counter of 0**:
While the command `show access-list | include access.*hitcnt=0` gives you a granular output, it's not ideal for your use case because it doesn't group or generalize access lists efficiently. Instead, you can create a script to parse the output and extract only the ACL names with hit counts of 0, filtering out the individual hits.
2. **Disable access lists with hit count 0**:
After listing the ACLs with hitcnt=0, you want to disable them. This can be done by removing the relevant ACL entries or rules. I'll provide a basic workflow that you can adapt into a script.
### Step-by-Step Solution:
#### 1. **Generate the list of ACLs with hit count 0**:
Use a slightly modified command to capture all access lists that have a hit count of 0, and then parse the output to group them together by ACL name.
Command:
```bash
show access-list | include ^access-list|hitcnt=0
```
This command will show all ACL entries and their hit counts, but you'll need a script to filter and group them by ACL name.
#### 2. **Parse the output and filter ACLs**:
You can write a script in Python (or Bash, if preferred) that reads the output, identifies all access lists where every rule has a hitcnt=0, and then stores those ACL names.
Here’s an example in Python:
```python
import re
# Sample output from "show access-list"
output = """
access-list OUTSIDE_ACL; 1 elements; name hash: 0x123456
access-list OUTSIDE_ACL line 1 extended permit ip any any (hitcnt=0)
access-list INSIDE_ACL; 1 elements; name hash: 0xabcdef
access-list INSIDE_ACL line 1 extended deny tcp any any (hitcnt=5)
"""
acl_hitcnt_zero = set()
current_acl = None
for line in output.splitlines():
acl_match = re.match(r"access-list (\S+);", line)
hitcnt_match = re.search(r"hitcnt=(\d+)", line)
if acl_match:
current_acl = acl_match.group(1)
acl_hitcnt_zero.add(current_acl)
if hitcnt_match and current_acl:
if int(hitcnt_match.group(1)) != 0:
acl_hitcnt_zero.discard(current_acl)
print("ACLs with all hitcnt=0:", acl_hitcnt_zero)
```
The result will be a list of ACLs that have no traffic matched (hit count = 0).
#### 3. **Disable access lists with hitcnt=0**:
Once you've identified the access lists to be disabled, you can use the `no access-list` command to disable or remove them from the configuration.
Example command to disable an ACL:
```bash
no access-list ACL_NAME
```
You can either manually run this command for each ACL in your filtered list or include it in a script to automate the process.
Example in Python (using a list of ACLs to disable):
```python
acls_to_disable = ['OUTSIDE_ACL', 'ANOTHER_ACL']
for acl in acls_to_disable:
print(f"no access-list {acl}")
```
#### 4. **Automating the script execution**:
If you’re using a management platform (e.g., Ansible, Python with paramiko, or similar), you can automate the entire process of connecting to each ASA device, running the script to filter ACLs with hitcnt=0, and disabling them.
Here’s an example using Python and `paramiko` for SSH automation:
```python
import paramiko
def execute_asa_command(host, username, password, command):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(host, username=username, password=password)
stdin, stdout, stderr = ssh.exec_command(command)
return stdout.read().decode()
devices = ['ASA1_IP', 'ASA2_IP', 'ASA3_IP'] # List of ASA devices
for device in devices:
print(f"Connecting to {device}")
result = execute_asa_command(device, 'username', 'password', 'show access-list | include ^access-list|hitcnt=0')
print(result)
```
### Final Thoughts:
- **First step**: Run the `show access-list | include ^access-list|hitcnt=0` command to gather the data you need.
- **Second step**: Use a script to filter ACLs with hitcnt=0.
- **Third step**: Automate the removal or disabling of those ACLs.
This method gives you a definitive, automated approach to achieve the task you outlined, minimizing manual intervention and ensuring consistency across all devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide