topic Re: FMC Rule Organization in Network Security

FMC Rule Organization

dominic.collins — Mon, 01 Nov 2021 05:00:59 GMT

I am trying to organize our FMC firewall rules and need a logical way to group them together. I have explored the usage of Categories but it seems I would be creating over 100 "Groups" to clean up the layout of the rules. Is there another option that would make grouping these easier like nested groups or Tags. What are solutions you guys have implemented?

Thanks in Advance

Re: FMC Rule Organization

Mohammed al Baqari — Mon, 01 Nov 2021 07:36:38 GMT

It really depends on your environment. For example, you can use per VLAN
category of this is for single site. Otherwise, per port category for
common ports and one group to catch uncommon ports. For multiple sites or
multiple units you can use child acp as well.

**** please remember to rate useful posts

Re: FMC Rule Organization

dcrichter — Wed, 03 Nov 2021 16:12:52 GMT

We too are struggling with this... and trying to have plan as we look to migrate 600+ rules from ASA. Is there any issues performance or usability in using the child acp's as a means to grouping rules by some logical segmentation? IE...below. With the last ACP in the nest applied to the Device..

- BaseACP

- ChildACP-Campus

- ChildACP-Server

- ChildACP-DMZ

- ChildACP-External_Ingress

Otherwise right now our thought is a BaseACP with a single Child.

- BaseACP - Global Mandatory Rules, SI(IP), Geo Filters in Default Section.

- Child ACP - Contains the Below.

- Mandatory Categories - Applications and Systems that need to override the Default Policies in the Base ACP - Categories are Very Specific.

- Default Categories - Organize by:

1. Application (mail, DNS, AV)

2. System (mainly complex systems to keep rules together and or by heavily used systems IE DomainConrollers.

3. Network Segment (1.Campus, 2.Server, 3.DMZ, 4.External-Ingress) This would cover broader/generic access requirements for each segment.

4. Default Block at the end.