Tracking of unused or stale rules

Is there anything in the roadmap for a feature that would track unused or stale rules (from firewalls, routers, etc. via hit-counters or syslog analysis for rule usage )? 

 

thanks

11replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Thanks for reaching out, Kevin!

    Are you already using Device Cleanup to view this information? If so, can you expand a bit on what you'd like to see?
    Reply Like
  • Steve -

    I do use Device Cleanup to identify redundant, disabled, unlogged rules, etc. However, I have not seen where Redseal can track unused / stale rules. I'd like for Redseal to be able to pull in hit-count data (whatever that might be from the specific device) and analysis that data over a time frame. That is to say, for example, data collection from month-to-month or quarter-to-quarter, the change in the hit count for rules. no change, likely an unused rule.

    Thanks,

    - Kevin

    Reply Like
  • Kevin,

    There is a section of the Users Guide called "Rule Check and Usage Analysis Manager" (on page 443 of the v8r1 guide) describes the current capability of RedSeal for rule usage. The function requires setting the Data Collection Tasks to collect usage data, and that setting requires the credential used for data collection to have access to the usage logs and/or counters.

    The section is rather long, so I won't quote it here, but please let me know what questions remain?
    Reply Like
  • Steve -

    Thank you. I found some good information in there. Can you tell me how the HPNA plugin pulls the rule usage data from the Cisco devices? I'm assuming the Redseal plugin authenticates to HPNA and then HPNA runs the command (show access-list <ACL Name>) to acquire the hit count. sort of an indirect SSH session?

    - Kevin

    Reply Like
  • Kevin,

    I'm going to need to do some homework to answer that one! I believe that it requires HPNA to collect that information when it does it's collections of the configs, and that it is an option within HPNA to do so. However, I will check on the specifics and update this thread.

    Best,
    ssh

    Reply Like
  • Kevin,

    I have heard back from the engineering team, and the capability to pull from HPNA is limited. First, it only supports the PIX7/ASA plugin. Secondly, to do it, RedSeal pulls rule usage information from HPNA using their diagnostic. You have to create a diagnostic in HPNA and specify the command that our plugin supports in your diagnostic script. You then need to specify that diagnostic name in the RedSeal data collection task. The RedSeal HPNA plugin then executes that diagnostic and collects the data. Again, this feature was only implemented for the PIX7/ASA plugin.

    Please let us know if you have any further questions.

    Best,
    ssh

    Reply Like
  • Here is a precise follow-up quote from our Engineering team:

    RedSeal extracts the rule usage information from HPNA using HPNA’s “diagnostics” feature, which provides the ability to the user to execute any command on the network device and capture its output in HPNA.   The user first creates a new “diagnostic” in HPNA and specifies the relevant rule usage command in the diagnostic script.   The user then specifies the name of that diagnostic in RedSeal data collection task.  When the data collection task runs, the HPNA plugin executes the rule usage diagnostic along with the standard config collection and collects its output.  This feature was only implemented for the Cisco ASA plugin.

    Reply Like
  • Steve -

    That's awesome. Exact detail I was looking for. Thank you for contacting engineering and the fast response.

    - Kevin

    Reply Like
  • Steve -

    A follow-up question. Do you know if I can specify more than one 'Rule usage diagnostic name' in the Data Collection Task? e.g. sh access-list <acl_name1>, sh access-list <acl_name2>... etc. Or can Redseal accept 'show access-list' and parse the list of all ACL's hit-counts?

    Thanks,

    - Kevin

    Reply Like
  • Kevin,

    It will accept whatever the diagnostic returns, including the set of all access list counts. This is the normal approach when the data collection collects directly from the devices (the typical way RedSeal collects the rule usage information).

    Best,
    ssh

    Reply Like
  • Many of the users of windows 10 OS mobile impressed with this online and free of cost online tutorial because due to this change ringtone in windows 10 mobile  they get to know that they can change their device ringtone with some easiest steps.Wow! I Just love this kind of place where information is free for everyone and users easily learn how to done this process.Thank you so much to make this available.

    Reply Like
reply to topic
Like Follow
  • 4 wk agoLast active
  • 11Replies
  • 1648Views
  • 3 Following