topic Prashant,. in Network Security

Global Vs Interface Policies

prashant dwivedi — Tue, 12 Mar 2019 07:33:21 GMT

Hello Team,

As now Cisco ASA supports Global ACL wouldn't be this advisable to use it rather than using Interface based ACL ?

Can someone please advise me positive and negative parts of it?

I think once we use global ACL this is more like a Checkpoint firewall and make our configuration and management easy.

I have got firewall running in multiple context ( just have one context) , this is in Transparent mode, I am still in the process of configuring it, hence need your inputs to finalize the policies.

Thanks,

Prashant

Prashant,Global access rules

Dinesh Moudgil — Wed, 30 Mar 2016 04:25:30 GMT

Prashant,

Global access rules allow you to apply a global rule to ingress traffic without the need to specify an interface to which the rule must be applied. Using global access rules provides the following benefits:

•When migrating to the adaptive security appliance from a competitor appliance, you can maintain a global access rule policy instead of needing to apply an interface-specific policy on each interface.

•Global access control policies are not replicated on each interface, so they save memory space.

•Global access rules provides flexibility in defining a security policy. You do not need to specify which interface a packet comes in on, as long as it matches the source and destination IP addresses.

•Global access rules use the same mtrie and stride tree as interface-specific access rules, so scalability and performance for global rules are the same as for interface-specific rules.

You can configure global access rules in conjunction with interface access rules, in which case, the specific interface access rules are always processed before the general global access rules.

Ref :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/access_rules.html#wp1083595

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh,

prashant dwivedi — Wed, 30 Mar 2016 05:20:53 GMT

Hi Dinesh,

Thanks!

However, am aware about these benefits, I wanted to know since global ACL is far better than the interface one then why and on what cases one should be using interface ACLs ?

I am sure there should be some use of them else Cisco would have stopped supporting Interface based policies - just a thought.

Primarily customers use

Dinesh Moudgil — Wed, 30 Mar 2016 05:32:35 GMT

Primarily customers use interface access-lists to restrict traffic specific to those interfaces and apply global access-lists to cover the common restrictions which can be applied irrespective of interfaces.

In essence, use interface access-list in those cases where the traffic is to be permitted and denied and is part of only that interface.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Thanks Dinesh! So can we say

prashant dwivedi — Wed, 30 Mar 2016 05:44:55 GMT

Thanks Dinesh! So can we say that by using global ACl we can achieve everything that we are gaining from the interface based, rather Global acls are also useful from system resource perspective as they are using less system memory.

In Summary- can we conclude that just global based policies are enough in the production network ?

Prashant,.

Dinesh Moudgil — Wed, 30 Mar 2016 05:53:36 GMT

Prashant,.

In Summary- can we conclude that just global based policies are enough in the production network ?

No, global policies are not enough as it ideally does not cover all the restrictions that you will need to have on the ASAs.

In real work scenarios, you will have different traffic restrictions based on interfaces.
So , to sum up, customers use the combination of global ACLs and interface ACLs and never rely on global ACLs alone.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Thanks Again!

prashant dwivedi — Wed, 30 Mar 2016 05:57:41 GMT

Thanks Again!

However, I am not fully convinced with it, just to give an example here, Checkpoint doesn't has any concept of interface based ACL still that has been the reliable firewall.

My thought- Cisco Introduced Global ACL just to make management/configuration easier and might they get rid off interface based ACLs soon.

There is an architectural

Dinesh Moudgil — Wed, 30 Mar 2016 06:04:21 GMT

There is an architectural difference between how Checkpoint and Cisco's firewall works. Some feature which is stable and working on one might not be the optimum solution on the other.

As far as Cisco deprecating the interface ACLs, I don't think it is going to happen any soon.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Thanks!

prashant dwivedi — Wed, 30 Mar 2016 06:14:21 GMT

Thanks!

Prashant,

Dinesh Moudgil — Wed, 30 Mar 2016 10:22:55 GMT

Prashant,

If your queries have been answered, please mark the thread as answered to benefit other community members.

Regards,
Dinesh Moudgil

Re: Prashant,

Florin Barhala — Mon, 14 Oct 2019 18:28:10 GMT

Hello,

I have some additional questions about this:
- I ran a packet tracer and I could spot the ACL applied on the interface but I see no mention of the global ACL?
can you detail where is this being checked?
- let's say we have a classic ASA deployment with several interfaces acting as LAN and one WAN ; all interfaces (7xLAN + WAN) have inbound (IN direction) ACLs applied on with a deny any any statement at the end of each ACL
Now I receive today an emergency change order on which I need to apply on all LAN interfaces severall outbound allow policies. Can I use this global ACL? Bear in mind each interface ACL ends with a deny. What's the fastest way for me to do this?

Thanks,
Florin.

Re: Prashant,

axlh — Thu, 07 Nov 2019 15:53:44 GMT

Hi Florin,

as the global rules are parsed after the interface-specific ones, AND it only permits inbound rules, you need to implement it into the interface-specific ACLs. I think your emergency change is over and you have implemented it that way.

Axel