jueves, 18 de febrero de 2016

[Cisco ASA] Determine unused object-groups

There is not one answer when it comes to network management, and the things gets more difficult when it comes to cleaning tasks.

Fate threw me a few ASA that for better or worse were managed by tooooo many hands before me, and like a really good friend told me once "OCD in the networking world is usually a good thing" and the OCD monster living inside me forced me to start the titanic task of cleaning and standardize the configuration of this firewalls.

At some point I needed to deal with Object-Groups and with the help of a my friend Julio Guevara (@juliogbberry || @MAXxATTAXx) we came up with the idea of count how many time the object-groups is being used, not only to determine those that aren't used, but also get rid of those that are not necessarily needed (used five times or less).

Thanks to a little python script we can determine how many times the objects are being used, to accomplish that we need two files, one with all the names of the objects (List_ASA1), and the lines you want to compare with, for simplicity I narrow it for access control lists (ACL_ASA1).

Is quite simple:
  1. Place the pair of file to compare on the same folder.
  2. The files must be named List_abc & ACL_abc, where abc can be anything.
  3. Open the Python console and once you have the script ready issue the following commands. Remember to change the location where you have your files.
    • firewall = FirewallClean()
    • firewall.workFolder("C:\\firewall") 

If everything works, you should have a file called Results_abc (Results_ASA1) and you can determine what is being used and not.

The script and all the example files can be found here: Download Script.

I hope that many of you can found this helpful.


This is an experimental tool. Backup your config before making any changes suggested by this tool.

No hay comentarios: