My approach to this maybe considered
backwards, but I start out with what I specifically know to be needed.
I remove what isn’t specifically
needed.
In my specific environment, we don’t
have a lot of changes that would effect firewall acl’s,
but if I was, I would review each individual network change, and institute firewall
changes as part of the implementation.
Craig.
-----Original Message-----
From: PIX_Firewall@yahoogroups.com
[mailto:PIX_Firewall@yahoogroups.com] On
Behalf Of brianahardy
Sent: Tuesday, December 27, 2005 2:40 PM
To: PIX_Firewall@yahoogroups.com
Subject: [PIX_Firewall] ACL
Clean-up
We have several pix's scattered around our network,
most of which have
several hundred to thousands of ACL entries.
I started to track hit counts and found that there
were hundreds of
entries with hitcnt=0. What would be the
simplest/best methodology for;
1: Determining which ACL entries can be
deleted
2: Process for deleting/disabling the
entries for a period of time
(week? month?) so they can readily be put back
into place if someone
complains.
Has anyone gone through this process? If so,
what methods did you use
and what problems should I be looking out for?
Thanks
Brian
|