Register

Forgot Password

Site FAQ

Home > IT Answers > Networking > Checking when PIX/ASA rules were accessed on a PIX 515e

ITKE

16,755 pts.

Checking when PIX/ASA rules were accessed on a PIX 515e

ASA/PIX, Cisco Configuration, Network Security Policies, Networking in 2010, PIX 515E

I'm a recent hire, and now I've been asked to clean up our PIX/ASA rules. Aside from the show access-list, is there a command that can help me determine the last time the rule was accessed? Any other tips when cleaning up rule clutter?

Software/Hardware used:
PIX 515e

ASKED: April 12, 2010 5:56 PM

UPDATED: December 4, 2010 5:23 PM

RELATED QUESTIONS

Answer Wiki:

Unfortunately, you can't find out the most recent ACL hits on a Pix515e. At least, not any method I have ever seen. What you can do is clear all of the ACL counters and wait a week or two and see which ACL's get hit. This is done via the following command: clear access-list <i>name</i> counters When it comes to cleaning up firewall rules, I have always been of the impression that if there are too many, then just disable them all and wait for the calls/e-mails to come in. There should be some default rules(HTTP/HTTPS, SMTP) that you will be able to enable right off the bat. It is the other obscure ones referencing specific source/dest IP's that are harder to figure out, which is why it is best to have the user call you. Remember that when something is no longer needed(ie a VPN site to site tunnel), you are not going to get a call to remove it from the firewall. It will just sit there for years and years. The only down side to disabling everything is that the end user might wait until 2AM to report the problem. :)

clear access-list <i>name</i> counters

When it comes to cleaning up firewall rules, I have always been of the impression that if there are too many, then just disable them all and wait for the calls/e-mails to come in. There should be some default rules(HTTP/HTTPS, SMTP) that you will be able to enable right off the bat. It is the other obscure ones referencing specific source/dest IP's that are harder to figure out, which is why it is best to have the user call you. Remember that when something is no longer needed(ie a VPN site to site tunnel), you are not going to get a call to remove it from the firewall. It will just sit there for years and years. The only down side to disabling everything is that the end user might wait until 2AM to report the problem. :)

Last Wiki Answer Submitted: December 4, 2010 5:23 pm by MNorwood

190 pts.

All Answer Wiki Contributors: MNorwood

190 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags