Unused rules tracking in PIX

leninstcs · ‎11-15-2011

Hi,

I have PIX 535 and using ACLs for allowing traffic. I need to clean up the rule base. I would like to know how to fetch a report of Unused rules for long time?

Also when a traffic is being allowed, I want to know through which rule number its being allowed?

Please let me know how to get the above things done.

Thanks & Regards,

Lenin. S

JORGE RODRIGUEZ · ‎11-15-2011

Hi

You can simply do this the old way which is looking at your access list hit count. Depending how big is your organization on how many firewalls you have to do this clean up will depend on the method you use. If you are talking about one firewall do it the manual inexpensive way, which is " show access-list " and take a base line perpahs every other day or once per week of ACLs hit counts. If may firewalls then you can look for 3rd party software out there to do it for you.

In addition:

You can reset the ACL counters like this, to sort of create a baseline of your acl counters:

#clear access-list counters

then you can use " show access-list " to see hit counts , for the ones that there is no hit counts say for a week or two those are targeted to investigate before you remove. And when removing always save a copy for backup in case you need to revert.

Regards

Jorge

Jorge Rodriguez

leninstcs · ‎11-26-2011

Thanks a lot. Jorge. I worked out for me your idea.

I would like to know one more thing.

Only denied logs are getting logged in my syslog server now. I would like to save the allowed logs also, for the forensics later. How should I enable that.

Is enabiling log in evey line of access-list must for this?