How do you guys document your large ASA configs?

The question says it all. How do you guys manage config remarks? One of the biggest issues with firewall configuration management is understanding what rules do and why they do them. I’ve always used the remark option on ACLs but that generally requires countless hours of command entry if the firewall is established with no remarks/comments on the rules. I’m currently evaluating several firewall management solutions to accomplish better change management and rule optimization. Another goal is to well document the use of and reason for each rule. Unfortunately it seems like most everything I’m looking at has rule documentation but they’re only imported from the existing config. Does anyone know of software like FireMon or AlgoSec which allows you to comment in the software and not directly in the firewall configs?

Find more posts tagged with

Comments

Ahriakin

Remarks always fall out of sync over time. We prefer use object-groups as much as possible, a descriptive name but more importantly you can actually enter a distinct description in the group. Keeps the config a little neater too (our primary data firewall has about 50k+lines of config so yeah thats important

Paul Boz

It looks like FireMon allows you to make descriptions as well, sweet.

shednik

We evaluated firemon and tufin for rule optimization on our checkpoint infrastructure. I liked them both but couldn't get the funding for what we needed. On my ASAs we use object groups, remarks, and usually view the rules from ASDM. We mainly only use the ASAs for VPN rules so it's not too terrible to do it this way.

Paul Boz

Rule optimization is definitely a plus but I primarily want FireMon for its change management and real-time change alerting capabilities. Thanks for the info

chrisone

shednik wrote: »

We evaluated firemon and tufin for rule optimization on our checkpoint infrastructure. I liked them both but couldn't get the funding for what we needed. On my ASAs we use object groups, remarks, and usually view the rules from ASDM. We mainly only use the ASAs for VPN rules so it's not too terrible to do it this way.

I agree with you, our firewall configs are also pretty long with object groups, service groups, and names. The ASDM is a great tool to manage the firewall, label things, and do on the fly ACL modifications. I use it for VPNS too but i end up going to the CLI all the time for fine tuning and troubleshooting. With the huge firewall configs and ACLS, making changes with CLI all the time would be a pain. I enjoy popping open the ASDM, clicking to an ACL, modifying an entry and be done with it. Does that make me lees of an engineer? i dont think so , and if anyone wants to look down at another engineer for using the ASDM you need to grow up. Cisco created the ASDM for a reason.

Ahriakin

chrisone wrote: »

Cisco created the ASDM for a reason.

Correct ... n00bs need firewall-luvin too

Kidding, whatever works, but the CLI is a much more flexible tool even for monitoring large configs. Personally I went CLI, ASDM and back to CLI as I progressed with ASA experience, I haven't touched it in years as just about everything I need to do can be done faster and more surgically from the CLI, it's not an ego thing it just works better for me.

Paul Boz

no need to get riled up about SDM, lol. It's certainly convenient. I use it to manage my home devices.

burbankmarc

ASDM is much better than the SDM on routers.

I use the ASDM for monitoring mostly. It's easier to look at all the users connected through VPN than the CLI. I also use it to edit ACLs, which is easier than through the CLI.

On my routers I removed all the SDM stuff because it was useless for me.

To each his own, though. The guy who worked here before me strictly used ASDM and SDM. I don't like the way it generated all the configs for certain things, but whatever, it's an easy fix.

johnwest43

i use remarks. although to be fair i only have 2 access lists (not including vpnrelated stuff) that combined have less then 15 lines.
I also mainly use the cli however for vpn setup i prefer asdm.

shednik

burbankmarc wrote: »

I don't like the way it generated all the configs for certain things, but whatever, it's an easy fix.

I've learned it's sometimes best to build the ACLs in ASDM and then paste it into the command line. I usually rename the object group names because they are just ridiculous, makes it a lot easier to read later on.