cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
761
Views
0
Helpful
4
Replies
Highlighted
Beginner

Unused Rules + ASDM 6.0

Hi All,

Can one use ASDM to detect Unused (redundant, orphaned and shadowed) rules.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Unused Rules + ASDM 6.0

If by "unused" you mean configured active rules that are not matching any traffic, absolutely, you can see if the rules are being hit. That's what I do, I clear the hit counters and if after a couple of days a particular rule is still showing no hits, then I mark that rule as "inactive". If somebody complains then I put that rule back in active. If nobody complains then I can delete that rule.

About detecting redundant rules, you can do that with Cisco CSM. There are also serveral software solutions in the market that perform firewall rules analysis.

View solution in original post

4 REPLIES 4
Highlighted
Advocate

Unused Rules + ASDM 6.0

Hi Damdjo,

In the ASDM, under access-rules, you can check the inactive ACL's. The one which do not have a check mark in fron of them are the ones which are not being used and are inactive. You can check it from the CLI as well, y doing:

show access-list

the inactive ACL's woudl have the keyword "inactive" in from of them

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

Unused Rules + ASDM 6.0

CLI can be done a little easier with:

show access-list | in inactive

to only show the lines containing "inactive"

Highlighted
Enthusiast

Unused Rules + ASDM 6.0

If by "unused" you mean configured active rules that are not matching any traffic, absolutely, you can see if the rules are being hit. That's what I do, I clear the hit counters and if after a couple of days a particular rule is still showing no hits, then I mark that rule as "inactive". If somebody complains then I put that rule back in active. If nobody complains then I can delete that rule.

About detecting redundant rules, you can do that with Cisco CSM. There are also serveral software solutions in the market that perform firewall rules analysis.

View solution in original post

Highlighted
Beginner

Unused Rules + ASDM 6.0

Thanks to all for your answers. They all go a long way to help me in cleaning up my Firewall.