16-35
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter16 Managing Firewall Access Rules
Viewing Hit Count Details
Sample Hit Count Details Window
You can generate hit count reports to determine how often each rule in your access rule policy is matched
to traffic. If an access rule is deployed as multiple access control entries (ACEs), for example, when you
use interface roles to define rules and the roles apply to more than one interface, you can see the separate
hit count information for each ACE deployed. The hit count results do not show counts for any other type
of ACL (for example, those used with class maps or AAA rules).
For access rules on ASA 8.3(1) devices and later, the hit count report also shows the last time the access
rule policy was applied to traffic. This information is helpful for determining rules that might have been
superseded by other policy changes.
Use the hit count information to help you debug your access rules. The information can help you identify
rules that are never hit (which might mean you do not need them, or that they are duplicates of rules
higher in the ACL), and rules that are hit often (which means you might want to refine the rules).
The following figures show an example of a hit count report and how to use the information.
Expanded Table This view lists hit count information for the access control list entry
(ACE) for the rule selected in the Access Rules table (on the Access
Rules Page, page 16-9) when you opened this window. The list contains
more than one ACE if the access rule generated more than one ACE
when you deployed the policy to the device.
Most of the columns in this table match those of the Access Rules table;
many contain the specific data configured in the ACE in place of any
network/host, service, or interface role objects contained in the rule,
with the exception of IOS 12.4(20)T+ devices, which show data only at
the object level. Also, the name of the ACL that contains the ACE is
listed.
The Delta column the difference in hit count for the ACE since the last
refresh. The Hit Count column shows the hits for the specific ACE
rather than the overall rule.
See Sample Hit Count Details Window, page 16-35 for an example of
this table.
Tip You can sort on multiple columns at the same time by pressing
and holding the Ctrl key while you click the column headings.
You can sort on all columns except Interface, Direction, and
ACL Nam e.
Raw ACE This view shows the actual CLI for the access control entry, along with
the Hit Count and Last Hit Time. Use this information if you are more
comfortable evaluating device commands.
See Sample Hit Count Details Window, page 16-35 for an example of
this table.
Table16-7 ACE Hit Count Details Window (Continued)
Element Description