There isn't a handy way to disable certain ACEs
[access entries]. The best way is to either remove
the 0 hitcounted ACEs or to insert an identical rule
just above the suspect entry but have it deny as well
as log [if you're using syslog].
So say this entry has a zero hit count and you would
like to remove it:
access-list outside line 430 permit tcp any host
1.1.1.1 eq 8080
add an identical one above it like:
access-list outside line 430 deny tcp any host 1.1.1.1
eq 8080 log 3
that way it's denied for the month, week, etc, that
you'd like and you'd get to see a hitcount or log
entry [if you have syslog] if someone tries the rule
[syslog would tell you exactly who/when attempted it].
If you need to take the rule out in a hurry, a
simple:
no access-list outside line 430 deny tcp any host
1.1.1.1 eq 8080 log 3
does it. If you have lots of rules that you feel need
to come out, it may be more trouble than its worth to
do this for each individual rule. In that case, build
an identical ACL as the applied one, sans the suspect
rules, and apply that to the interface instead. It's
easy to revert back to the other ACL if you need to
[and when you do, all hit counts will return to zero
to begin again]. Happy hunting.
--- brianahardy <brianahardy yahoo.com> wrote:
> We have several pix's scattered around our network,
> most of which have
> several hundred to thousands of ACL entries.
>
> I started to track hit counts and found that there
> were hundreds of
> entries with hitcnt=0. What would be the
> simplest/best methodology for;
>
> 1: Determining which ACL entries can be deleted
> 2: Process for deleting/disabling the entries for a
> period of time
> (week? month?) so they can readily be put back into
> place if someone
> complains.
>
> Has anyone gone through this process? If so, what
> methods did you use
> and what problems should I be looking out for?
>
> Thanks
> Brian
>
>
>
>
>
>
__________________________________
Yahoo! for Good - Make a difference this year.
http://br
and.yahoo.com/cybergivingweek2005/
------------------------ Yahoo! Groups Sponsor
--------------------~-->
Get Bzzzy! (real tools to help you find a job). Welcome to
the Sweet Life.
http://us.click.yahoo.com/KIlPFB/vlQLAA/TtwFAA/kgFolB/TM
------------------------------------------------------------
--------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://gr
oups.yahoo.com/group/PIX_Firewall/
<*> To unsubscribe from this group, send an email to:
PIX_Firewall-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.c
om/info/terms/
|