07-20-2011 03:20 AM - edited 03-11-2019 02:01 PM
Hi All,
Can one use ASDM to detect Unused (redundant, orphaned and shadowed) rules.
Thanks
Solved! Go to Solution.
07-20-2011 10:24 PM
If by "unused" you mean configured active rules that are not matching any traffic, absolutely, you can see if the rules are being hit. That's what I do, I clear the hit counters and if after a couple of days a particular rule is still showing no hits, then I mark that rule as "inactive". If somebody complains then I put that rule back in active. If nobody complains then I can delete that rule.
About detecting redundant rules, you can do that with Cisco CSM. There are also serveral software solutions in the market that perform firewall rules analysis.
07-20-2011 03:40 AM
Hi Damdjo,
In the ASDM, under access-rules, you can check the inactive ACL's. The one which do not have a check mark in fron of them are the ones which are not being used and are inactive. You can check it from the CLI as well, y doing:
show access-list
the inactive ACL's woudl have the keyword "inactive" in from of them
Thanks,
Varun
07-20-2011 08:05 PM
CLI can be done a little easier with:
show access-list | in inactive
to only show the lines containing "inactive"
07-20-2011 10:24 PM
If by "unused" you mean configured active rules that are not matching any traffic, absolutely, you can see if the rules are being hit. That's what I do, I clear the hit counters and if after a couple of days a particular rule is still showing no hits, then I mark that rule as "inactive". If somebody complains then I put that rule back in active. If nobody complains then I can delete that rule.
About detecting redundant rules, you can do that with Cisco CSM. There are also serveral software solutions in the market that perform firewall rules analysis.
07-21-2011 04:41 AM
Thanks to all for your answers. They all go a long way to help me in cleaning up my Firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide