How to see a “hit list” on your SI and ACP rules on Cisco FTD…
There is a great gem of a command that you can run from the FTD CLI or from the Advanced Troubleshooting tab in the Cisco FTD FMC GUI.
The “show access-control-config” provides the configuration of your ACP as well as the hit counter on your SI objects and the ACP rules. A lot of customers have been asking me how to get this info, and this was a great find, so I wanted to share it with you!
Yes, there are some custom workflows that take a lot of time to write and you would receive some of this info, but this CLI command is easy and cuts to the chase! Here is the quick output then I’ll show you another great command as a bonus – so scroll to bottom!
> show access-control-config
This first output is a summary of the ACP config and total hits
====================[ FTD1_ACP ]====================
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
…
Rule Hits : 38957
Variable Set : Default-Set
———————[ Block ]———————-
This area will show the SI IP objects and the zones associated to each
———————[ Block ]———————-
This area will show the SI URL objects and the zones associated to each
===============[ Rule Set: (User) ]================
*the following shows the individual ACP rules, their config and hit counters…I’ll append this to show just one rules.
————–[ Rule: No log UDP DNS ]————–
Action : Allow
Intrusion Policy : Security Over Connectivity
ISE Metadata :
Destination Ports : DNS_over_UDP (protocol 17, port 53)
…
Rule Hits : 581
Variable Set : Default-Set
[output cut]
**…and for troubleshooting check this out too!**
> system support firewall-engine-debug
…this command is used to confirm whether traffic flow is evaluated against the proper Access Control rule
Very cool stuff!
Todd Lammle
www.lammle.com
The big issue is these hit counters reset (clear) every time you deploy to the device.
I hope Cisco can fix that. Not good when doing firewall reviews of rules that are no longer needed based on hit counts.
Hi Jonathan, I guess that is why they created the new gui hit counts in 6.4 code…those don’t reset that I’ve seen!
thanks for posting!
The new GUI hit counter is not accurate. Have you noticed that? I do not know where they are getting the hits from for that. I don’t think they are combining the hits from the different parts of the system (access-control-config vs. access-list)
Depending on what type of rule and traffic, it could make a hit in either of those access lists.
The GUI hit counter is not even close to some of my CLI output hit counters. I was excited for this in 6.4 but now can’t even trust it anyway seems like.
Just read your comment after a whole day of undoing the havoc I caused as I sat there last night, disabling zero-hit rules like a goodun!
John, based on your comment, you are running less than 6.4 code and this is not advisable. The 6.4 code is stable, and also has hit counts for the ACP and PreFilter in the GUI.
Is there a way to get the output of “show access-control-config” at once (without pressing space everytime)? Or output the result to a file?
yea, it’s annoying, but that commands isn’t that great because every time you deploy the hit count resets. Show access-list would probably be better, but it only show the ACP, however, starting in 6.5 you have the GUI now in the ACP and PreFilter so you can see the hit count on both of those. The show access-config-config is good to see with SI is hit, though, if that matters.
HI Would like to know if we can get ACP hit count in Csv format so easily can clean up the rules instead of checking each into CLI if we have chunk of rules?
We would like to clean for unused rules which doesnt have any hit counts?
not that I know of, however, you can now analyze hit counts in each ACP to see which rules are hit, and how many hits
Open an ACP and to to the top and next to the Save button is the Analyze Hit Counts, and you can then choose the FTD device.
This works rather well