Skip to main content



Cisco Defense Orchestrator

Hit Rates

CDO enables you to evaluate the outcome of policy rules, on top of secure and scalable orchestration of policies, providing a simple visualization for more accurate policy analysis and an immediate, actionable pivot to root cause, all in a single pane from the cloud. The Hit Rates feature enables you to:

  • Eliminate obsolete and never-matched policy rules, increasing security posture.
  • Optimize firewall performance by instantly identifying bottlenecks as well as ensuring correct and efficient prioritization is enforced (for example, most triggered policy rule is prioritized higher).
  • Maintain a history of Hit Rates information, even upon device or policy rule reset, for a configured data retention period (1 year).
  • Strengthen validation of suspected shadow and unused rules based on actionable information. Removing doubt about update or delete.
  • Visualize policy rule usage in the context of the entire policy, leveraging predefined time intervals (day, week, month, year) and scale of actual hits (zero, >100, >100k, etc.) to evaluate impact on packets traversing the network.

View Hit Rates of ASA Policies

  1. Select Policies > ASA Access Policies from the CDO menu bar.
  2. Click the filter icon and pin it open. 
  3. In the Hits area, click the various hit count filters to display which policies are being hit more or less often than others. 
  • Was this article helpful?