Why CLI-Based Firewall Auditing Still Matters

Even in an era of policy management platforms and GUI dashboards, command-line auditing remains an essential skill for network engineers. GUIs can obscure configuration details, and in incident response or compliance scenarios, you often need to go directly to the source. This tutorial walks through practical CLI commands for auditing firewall rules on three of the most common enterprise firewall platforms.

Before You Start: Preparation Checklist

  • Confirm you have read-only access at minimum (never audit from a production admin account if you can avoid it).
  • Have a secure location to store output — firewall configurations are sensitive documents.
  • Timestamp your outputs: audit findings need to be tied to a specific point in time.
  • Note the software version on each device — this affects which commands are available.

Cisco ASA: Key Audit Commands

Cisco ASA uses a relatively straightforward CLI for policy review. Here are the most useful commands for an audit:

Show the full running configuration

show running-config

This dumps the entire configuration. For audit purposes, redirect to a file via your terminal session. Review the access-list and access-group sections carefully.

Show a specific access list with hit counts

show access-list <acl-name>

Hit counts appear in parentheses after each ACE (Access Control Entry). Entries showing (hitcnt=0) are candidates for review.

Check NAT policies

show running-config nat
show nat detail

Palo Alto Networks: Key Audit Commands

Palo Alto firewalls use a different paradigm — policies are object-based and managed through the Panorama hierarchy or locally. On the firewall CLI (accessible via SSH):

Show security policies with hit counts

show running security-policy

Check rule usage statistics

show rule-hit-count vsys vsys1 security pre-rulebase security rules all

This command returns hit counts for all security rules. Substitute vsys1 with your actual vsys name. Rules with hit_count: 0 and a last_hit_timestamp of never are cleanup candidates.

Validate object usage

show object address all
show object service all

Cross-reference these against your policy to identify unused objects that should be removed.

Fortinet FortiGate: Key Audit Commands

Show all firewall policies

get firewall policy

Show policy with packet/byte counts

diagnose firewall iprope show 100004 0

Alternatively, from the CLI console:

show firewall policy [policy-id]

Check for unused addresses and services

diagnose sys cmdb info firewall.address
diagnose sys cmdb info firewall.service.custom

Structuring Your Audit Findings

Raw CLI output isn't an audit report. Once you've collected your data, organize findings into a structured format:

  1. Scope: Which devices and policy sets were reviewed.
  2. Methodology: Which commands were run and when.
  3. Findings by severity: Critical (active any/any rules), High (zero-hit rules over 90 days), Medium (undocumented rules), Low (cosmetic or ordering issues).
  4. Recommendations: Specific, actionable items for each finding.
  5. Remediation tracking: A table linking each finding to an owner and a target remediation date.

Automating Recurring Audits

Running these commands manually is fine for a one-time audit. For ongoing compliance, consider scripting the collection using Python with Netmiko or the vendor's API (Palo Alto's PAN-OS XML API, Fortinet's FortiOS REST API, Cisco's RESTCONF/NETCONF interfaces). Scheduled collection and comparison against a known-good baseline can alert you to unauthorized changes in near real time.