6 Replies Latest reply on Jun 1, 2012 1:42 PM by gooru4speed

    ACL hits

    gooru4speed

      Hello everybody,

      I need to obtain from the firewall the following information:

      1) List of configured ACLs and the quantity of times they were hit.

      2) Report between certain dates with the quantity of times ACLs were hit.

       

      The goal with item 2 is to keep a track of rules that are no used anymore and disable them and the ACLs most used in order to put them at the top of the list of rules and help to improve the process of filtering.

       

      Can anybody tell me how to do it?

      Thanks!!

      JR

        • 1. Re: ACL hits
          PhilM

          Though I've not seen it in action myself, I'm guessing this might have been the kind of thing you would have seen from the now-defunct Firewall Reporter product.

           

          In versions 7 & 8 you can right-click on an ACL and from the View Audit option select "All Available" and this will present you with a list of the specific audit events associated with that ACL. However, the results will depend on how much historic audit is still stored on the appliance. The audit.raw file is rolled over once a day at least (though more so if there's lots of traffic passing through the box) and I *think* it keeps a maximum of 20 archived copies. So, at most you're looking at 20 days-worth to report on.

           

          With something like Firewall Reporter, the logs were being offloaded to a syslog server so you could keep as much log information as you had available hard drive space.

           

          McAfee have replaced the likes of Firewall Reporter and Profiler with the recently acquired Nitro Security product, but (alas) this isn't a free offering as its two predecessors were.

           

          -Phil.

          • 2. Re: ACL hits
            gooru4speed

            Thanks Phil for your response. I understand your advice but I'm looking for something more simple, I just need an accumulative counter hit for every ACL in real time and later generate a report of the same counter between specific dates.

             

            Thanks!

            JR

            • 3. Re: ACL hits

              Hello,

               

              The easiest way to report on the rules most hit is 'cf policy usage days=<1-180>.  If a rule is not listed in this output then it was not hit during those days.  This is only available on version 8x.  Otherwise, you could also use gen_reports (man gen_reports) and run the acl_usage report.  This is available on v7 and v8.   Either method adheres to how much historic audit is kept on the firewall, as PhilM mentioned.

               

              The report between specific dates will be more difficult.  Are you using Reporter?

               

              Erik

              1 of 1 people found this helpful
              • 4. Re: ACL hits
                gooru4speed

                Hello ekuik,

                Yes I'm using Firewall Reporter. What do you suggest?

                 

                Thanks so much!

                JR

                • 5. Re: ACL hits

                  Hello,

                  In Reporter, try creating a Profile that covers the date range in question.  I believe there is a default 'Rules' report template that will work, but you may want to just create a custom Report that uses the 'Top Rules Triggered' query.

                   

                  Hope this helps,
                  Erik

                  1 of 1 people found this helpful
                  • 6. Re: ACL hits
                    gooru4speed

                    Thanks everybody for your assistance, all your suggestions were very helpful. Ekuik you had THE answer, the CLI command and Firewall Reporter report gave me the information I've needed.

                     

                    Thanks!

                    JR