"Not Used" Objects ASA

dmnsrk · ‎03-18-2019

Hello community,

sorry for my bad english,

i want use function remove objects "Not Used" for cisco ASA 5515, but my team say it this can lead to bad consequences (nat, acl remove). I can not find to what exactly problems. Is there a risk?

Richard Burts · ‎03-18-2019

I do not have personal experience with the "remove all unused" function so I am responding in general rather than from any real experience. Perhaps this function will work well. But I worry a bit about telling some piece of software to remove all instances of unused objects.

On the other hand having objects configured that are not used does clutter up the configuration, making it more difficult to understand what is going on, and potentially complicating efforts to troubleshoot problems. So there may well be benefit from removing unused objects. How complicated is this configuration? How many unused objects do you think may exist?

HTH

Rick

HTH

Rick

dmnsrk · ‎03-18-2019

This configuration is complicated - relatively)

Objects about 50.

dmnsrk · ‎03-18-2019

I found it

"Easy way to detect unused network objects/groups on ASA

We noticed a issue with using that button:

If the object has a NAT associated with it, using that button will still show the object is not used and will delete the NAT.

Although when doing a right click on the object and "Where used" will show that it's used in a NAT rule."

https://community.cisco.com/t5/firewalls/easy-way-to-detect-unused-network-objects-groups-on-asa/td-p/1764890

Richard Burts · ‎03-19-2019

I am glad that you found that discussion.

HTH

Rick

HTH

Rick