16-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter16 Managing Firewall Access Rules
Viewing Hit Count Details
Step 6 Click on the Conflict Indicator icon for the selected conflict to open the Conflict Details pane. For more
information on the Conflict Indicator icons, see Understanding the Automatic Conflict Detection User
Interface, page 16-27.
The Conflict Details pane shows details for the selected conflict. The conflicting rules are shown
together in a table for easier direct comparison. The type of conflict is shown above the table. A
suggested action is shown below the table for all conflicts except partially redundant rules and partially
shadowed rules, which must be resolved manually. Links are provided for direct navigation to the rules
involved. Policy objects that are part of the conflicting rules can be expanded by clicking on them to see
the object contents. Click again to collapse the policy object.
Step 7 Use the links provided to navigate to the rules and resolve the conflict as needed or click the link under
Action to have Security Manager perform the suggested action automatically.
Note If you do not want to resolve the conflict at this time, you can enter a note about the conflict by
right-clicking the Conflict Indicator icon to the left of the conflict in the access rule table and
then selecting Add User Note. User notes are included in the Rule Analysis Detail Report, but
are not saved when leaving the access rules page or after editing a rule that has a user note.
Step 8 Use the Conflict navigation bar or the Previous Conflict and Next Conflict buttons at the top of the
Conflict Details pane to access additional conflicts that need to be resolved.
Step 9 If there are any remaining conflicts that you do not want to resolve at this time, you can click Generate
Report to print or save a copy of the remaining conflicts, if desired.
Viewing Hit Count Details
Use Hit Count Details window to view information about the number of times an access rule was applied
to traffic. These rules are the ones that become interface ACLs on the device. The hit count results do
not show counts for any other type of ACL (for example, those used with class maps or AAA rules).
For access rules on ASA 8.3(1) devices and later, the detailed hit count report also shows the last time
the access rule policy was applied to traffic. This information is helpful for determining rules that might
have been superseded by other policy changes.
Use the hit count information to help you debug your access rules. The information can help you identify
rules that are never hit (which might mean you do not need them, or that they are duplicates of rules
higher in the ACL), and rules that are hit often (which means you might want to refine the rules).
Tip You can click the Refresh Hit Count button at the bottom of the page to update hit count information
before viewing the details for a rule. See Hit Count Selection Summary Dialog Box, page 16-18 for more
information.
Consider the following points when analyzing the hit count details:
You get best results if you deploy policies to the device before viewing hit counts. If you discover a
device and then generate a hit count report before deployment, the results might be incomplete or
hard to interpret. For example, an access rule might not have any hit count information.