- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX L3 rule hit counts
A customer of mine needs to see hit counts on MX rules so that he can eliminate his any-any permit rule after verifying that all legit traffic is covered. We can get a snapshot by looking at the L3 rules with the GUI but we'd like to have several days of data to ensure that we're going to break as few things as possible. getNetworkApplianceFirewallL3FirewallRules tells us what the rules are, but no hit counts. Any suggestions?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest a Syslog server . And analyse that data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm, when using the dashboard, I believe hits are only recorded while you have the page open. I have no idea what the returned value would mean from the API in this context.
+1 to @ww . You will need to use syslog for this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to indeed use a syslog server and parse the firewall events in it.
Don't forget to discard the flow_start and flow_end events.
At the end of the firewall events you have a matching statement that should make it obvious which actual rule it is matching. The rule number or name is NOT in the log.
Once you have filtered out the events you want you only need a linecount to get your counters.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As previously stated set up a syslog server to view live traffic - kiwi syslog do a free trial license for 30 days.
or, just flick the allow all any any to deny and see what breaks
https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or, just flick the allow all any any to deny and see what breaks
The story of my life. 🙂 I actually did look up this subject before I asked again hoping that they had added it to the API and I just couldn't find it. I'd bet you it is there but is expensive to execute so they just don't document it.
