Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2005
Views
15
Helpful
5
Replies

Re writing ACL with Log keyword

Go to solution
CSCO12053961
Level 1
Level 1

‎10-12-2020 10:25 PM

Hi Team,
I am looking for some convenient option to add a log statement to the existing access-list on multi-context ASA running 9.14(1), the ACL count is more than 1000.
I figured out 2 options :
1. Using ASDM, which has the limitation of one ACL at a time.
2. Re-adding all ACL via CLI, any other options may save some effort.
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to CSCO12053961

‎10-16-2020 01:00 AM

Although I agree with Mohammed that you should be careful when enabling logging on so many rules, especially on the ASA, you could add the log keyword using a simple python script.  First pull the ACL configuration from the ASA and save it in a file.  Then run the following script to add the log keyword at the end of each entry.  Be sure to change the path to where the files are located to match the actual location you have saved them to:

#Read the original ACL file and add the entries into a list

def read_file():

  with open('D:\\Python\\Network Programability\\Files\\ASA_ACL.txt', 'r') as file_object:
    file_info_list = []
    for line in file_object:
      file_info_list.append(line.strip())
    return file_info_list

 

#Loop through the newly created list adding the log keyword at the end of the ACL and write to a new file

with open('D:\\Python\\Network Programability\\Files\\ASA_ACL_new.txt', 'w') as write_file:
  file_object = read_file()

  for line in file_object:
    write_file.write(f"{line} log\n")

 

You can obviously script the process of adding the lines back to the ASA.  However, I prefer to do that part as a manual job as I can then react to any errors or issues that might pop up while adding them.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-13-2020 12:07 AM

The second option is reasonable. if you can do some automation that will do the job. do this task offline and publish online to device using script.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
CSCO12053961
Level 1
Level 1
In response to balaji.bandi

‎10-15-2020 08:48 PM

Hi Balaji,

 

Thank you.

 

I am very new to automation, could you please suggest to me any document or example article.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎10-13-2020 01:00 AM

Hi, you might have a problem with cpu if this acl is matched at high rate
(hence the restriction on asdm). If you want to match specific line, create
an acl matching your specific 5-tuples with log option. This is safe
approach. Your approach seems very risky to add for acl with more than
1000 lines. Most likely will create a performance problem.

***** please remember to rate useful posts

***** please remember to rate useful posts

Go to solution
CSCO12053961
Level 1
Level 1
In response to Mohammed al Baqari

‎10-15-2020 08:56 PM

Hi Baqari,

 

Thank you. 

 

is your advice is to create a new ACL to only math the specific traffic, rather than logging all?

 

For CPU we have 64 core CPU firepower appliance in place and the current load is about 5% max, logging all ACL is a requirement for firewall rule analysis tool (AlgoSec), So I have to log all ACL, so unused or less used can be revealed or caught.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to CSCO12053961

‎10-16-2020 01:00 AM

Although I agree with Mohammed that you should be careful when enabling logging on so many rules, especially on the ASA, you could add the log keyword using a simple python script.  First pull the ACL configuration from the ASA and save it in a file.  Then run the following script to add the log keyword at the end of each entry.  Be sure to change the path to where the files are located to match the actual location you have saved them to:

#Read the original ACL file and add the entries into a list

def read_file():

  with open('D:\\Python\\Network Programability\\Files\\ASA_ACL.txt', 'r') as file_object:
    file_info_list = []
    for line in file_object:
      file_info_list.append(line.strip())
    return file_info_list

 

#Loop through the newly created list adding the log keyword at the end of the ACL and write to a new file

with open('D:\\Python\\Network Programability\\Files\\ASA_ACL_new.txt', 'w') as write_file:
  file_object = read_file()

  for line in file_object:
    write_file.write(f"{line} log\n")

 

You can obviously script the process of adding the lines back to the ASA.  However, I prefer to do that part as a manual job as I can then react to any errors or issues that might pop up while adding them.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card