How do you guys document your large ASA configs?
Paul Boz
Member Posts: 2,620 ■■■■■■■■□□
The question says it all. How do you guys manage config remarks? One of the biggest issues with firewall configuration management is understanding what rules do and why they do them. I’ve always used the remark option on ACLs but that generally requires countless hours of command entry if the firewall is established with no remarks/comments on the rules. I’m currently evaluating several firewall management solutions to accomplish better change management and rule optimization. Another goal is to well document the use of and reason for each rule. Unfortunately it seems like most everything I’m looking at has rule documentation but they’re only imported from the existing config. Does anyone know of software like FireMon or AlgoSec which allows you to comment in the software and not directly in the firewall configs?
CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/
Comments
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Remarks always fall out of sync over time. We prefer use object-groups as much as possible, a descriptive name but more importantly you can actually enter a distinct description in the group. Keeps the config a little neater too (our primary data firewall has about 50k+lines of config so yeah thats important ).We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□It looks like FireMon allows you to make descriptions as well, sweet.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
shednik Member Posts: 2,005We evaluated firemon and tufin for rule optimization on our checkpoint infrastructure. I liked them both but couldn't get the funding for what we needed. On my ASAs we use object groups, remarks, and usually view the rules from ASDM. We mainly only use the ASAs for VPN rules so it's not too terrible to do it this way.
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□Rule optimization is definitely a plus but I primarily want FireMon for its change management and real-time change alerting capabilities. Thanks for the infoCCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
chrisone Member Posts: 2,278 ■■■■■■■■■□We evaluated firemon and tufin for rule optimization on our checkpoint infrastructure. I liked them both but couldn't get the funding for what we needed. On my ASAs we use object groups, remarks, and usually view the rules from ASDM. We mainly only use the ASAs for VPN rules so it's not too terrible to do it this way.
I agree with you, our firewall configs are also pretty long with object groups, service groups, and names. The ASDM is a great tool to manage the firewall, label things, and do on the fly ACL modifications. I use it for VPNS too but i end up going to the CLI all the time for fine tuning and troubleshooting. With the huge firewall configs and ACLS, making changes with CLI all the time would be a pain. I enjoy popping open the ASDM, clicking to an ACL, modifying an entry and be done with it. Does that make me lees of an engineer? i dont think so , and if anyone wants to look down at another engineer for using the ASDM you need to grow up. Cisco created the ASDM for a reason.Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Cisco created the ASDM for a reason.
Correct ... n00bs need firewall-luvin too
Kidding, whatever works, but the CLI is a much more flexible tool even for monitoring large configs. Personally I went CLI, ASDM and back to CLI as I progressed with ASA experience, I haven't touched it in years as just about everything I need to do can be done faster and more surgically from the CLI, it's not an ego thing it just works better for me.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Paul Boz Member Posts: 2,620 ■■■■■■■■□□no need to get riled up about SDM, lol. It's certainly convenient. I use it to manage my home devices.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
burbankmarc Member Posts: 460ASDM is much better than the SDM on routers.
I use the ASDM for monitoring mostly. It's easier to look at all the users connected through VPN than the CLI. I also use it to edit ACLs, which is easier than through the CLI.
On my routers I removed all the SDM stuff because it was useless for me.
To each his own, though. The guy who worked here before me strictly used ASDM and SDM. I don't like the way it generated all the configs for certain things, but whatever, it's an easy fix. -
johnwest43 Member Posts: 294i use remarks. although to be fair i only have 2 access lists (not including vpnrelated stuff) that combined have less then 15 lines.
I also mainly use the cli however for vpn setup i prefer asdm.CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014 -
shednik Member Posts: 2,005burbankmarc wrote: »I don't like the way it generated all the configs for certain things, but whatever, it's an easy fix.
I've learned it's sometimes best to build the ACLs in ASDM and then paste it into the command line. I usually rename the object group names because they are just ridiculous, makes it a lot easier to read later on.