Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX L3 rule hit counts

JimBetts
Conversationalist
‎Nov 21 2023 10:51 AM
‎Nov 21 2023 10:51 AM

MX L3 rule hit counts

A customer of mine needs to see hit counts on MX rules so that he can eliminate his any-any permit rule after verifying that all legit traffic is covered. We can get a snapshot by looking at the L3 rules with the GUI but we'd like to have several days of data to ensure that we're going to break as few things as possible. getNetworkApplianceFirewallL3FirewallRules tells us what the rules are, but no hit counts. Any suggestions?

0 Kudos
Subscribe
5 Replies 5
ww
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 11:03 AM
‎Nov 21 2023 11:03 AM

I would suggest a Syslog server . And analyse that data

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 11:16 AM
‎Nov 21 2023 11:16 AM

Hmmm, when using the dashboard, I believe hits are only recorded while you have the page open.  I have no idea what the returned value would mean from the API in this context.

 

+1 to @ww .  You will need to use syslog for this.

Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Nov 21 2023 12:29 PM
‎Nov 21 2023 12:29 PM

You'll need to indeed use a syslog server and parse the firewall events in it.
Don't forget to discard the flow_start and flow_end events.
At the end of the firewall events you have a matching statement that should make it obvious which actual rule it is matching.  The rule number or name is NOT in the log.

Once you have filtered out the events you want you only need a linecount to get your counters.

Subscribe
DarrenOC
Kind of a big deal
Kind of a big deal
‎Nov 22 2023 1:23 AM
‎Nov 22 2023 1:23 AM

As previously stated set up a syslog server to view live traffic - kiwi syslog do a free trial license for 30 days.

 

or, just flick the allow all any any to deny and see what breaks

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Subscribe
JimBetts
Conversationalist
‎Nov 22 2023 7:16 AM
‎Nov 22 2023 7:16 AM

or, just flick the allow all any any to deny and see what breaks

The story of my life. 🙂 I actually did look up this subject before I asked again hoping that they had added it to the API and I just couldn't find it. I'd bet you it is there but is expensive to execute so they just don't document it.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.