3 Replies Latest reply on Aug 29, 2012 6:38 PM by fcaron

    ACL hits in NPM for Cisco ASA

    Cyteck2000

      Is there a MIB for hits on an ACL. I would like to monitor what ACLs are being hit on my firewall.

        • Re: ACL hits in NPM for Cisco ASA
          lchance

          You might consider using SYSLOG with the ASA - it offers a ton of messages, some for ACLs. Here are two examples:

           

          Error Message

          %PIX|ASA-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address

           

          Explanation

          The outgoing ICMP packet with the specified ICMP from local host (inside_address) to the foreign host (outside_address) was denied by the outbound ACL list.

           

           

          Error Message

          %PIX|ASA-2-106002: protocol

          Connection denied by outbound list acl_ID src inside_address dest outside_address

           

          Explanation

          This is a connection-related message. This message is displayed if the specified connection fails because of an outbound deny command. The protocol

          variable can be ICMP, TCP, or UDP.

          • Re: ACL hits in NPM for Cisco ASA
            Myanta

            A firewall monitor is what you are really needing. The problem with monitoring firewall rules is that there are so many of them. As an example; if you have a rule with 2 sources, 2 destinations and 2 ports the firewall actually creates 8 rules for that even though you only created one.

            One of the other very nice features about a firewall monitor is it can tell you about unused items in any rule or unused rules. Check out FireMon and it's competitors.

            • Re: ACL hits in NPM for Cisco ASA
              fcaron

              We just introduced a new product which covers this: FSM, Firewall Security Manager, more here

              The Optimize / Rule Object Cleanup function does that (make sure you click on Log Usage Analysis)