topic Beats me, alas. If I had to in Network Security

ASA object question

bstern000 — Tue, 12 Mar 2019 06:14:25 GMT

I apologize if this has already been answered somewhere, but I can not find a response to this question:

Assume an ASA firewall has a rule R: permit 1.1.1.1 to 2.2.2.2 with service A

And I have created a service-group G which includes services A and B

If I removed R and replaced it with a new rule: permit 1.1.1.1 2.2.2.2 with service-group G, then pushed the config

would connections from 1.1.1.1 to 2.2.2.2 using service A be interrupted, or would the firewall maintain current service A connections without interruption?

Thanks,

Ben

"If I removed R and replaced

rizwanr74 — Wed, 08 Jul 2015 17:46:12 GMT

"If I removed R and replaced it with a new rule: permit 1.1.1.1 2.2.2.2 with service-group G, then pushed the config would connections from 1.1.1.1 to 2.2.2.2 using service A be interrupted, or would the firewall maintain current service A connections without interruption?"

If you add the new rule, before deleting the old one, then there is no interruption to traffic.

If you remove the rule "R" and and then you add new rule after that includes the same permit line as in in rule "R", then there is an interruption for the durtion of removing and adding the new rule.

Hope that answers your question.

thanks

So what about the following

bstern000 — Wed, 08 Jul 2015 18:25:15 GMT

So what about the following more specific example:

If the firewall currently has an ACE of

access-list interface1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 22

as its first entry and we run the following commands

object-group service "G"
service-object tcp eq 22
service-object tcp eq 25
exit
no access-list interface1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 22
access-list interface1 line 1 extended permit object-group "G" host 1.1.1.1 host 2.2.2.2
end
wr mem

Connections will not be interrupted because they are applied at the same time? Or does the order need to be command 6 before 5?

It will be interrupted if you

rizwanr74 — Wed, 08 Jul 2015 19:17:03 GMT

It will be interrupted if you do it as per line 5 and 6, it is best you add the new line first and remove the old after.

thanks

Thank you

bstern000 — Wed, 08 Jul 2015 19:18:32 GMT

Thank you

To be more specific, existing

James Leinweber — Wed, 08 Jul 2015 20:16:04 GMT

To be more specific, existing connections with xlate entries should continue. The brief interruption would be for new connections; if the old rule is deleted before the new rule is added and you don't have asp rule-engine transactional-commit access-group turned on or you don't submit the commands all at once.

-- Jim Leinweber, WI State Lab of Hygiene

Thank you for the information

bstern000 — Wed, 08 Jul 2015 20:37:31 GMT

Thank you for the information, what qualifies as "all at once"? Would executing these commands as a script provide no human-noticeable interruption of service?

Beats me, alas. If I had to

James Leinweber — Thu, 09 Jul 2015 18:59:06 GMT

Beats me, alas. If I had to guess, each individual line of config change probably ends up as its own separate transaction. I work with fairly small (low thousands of lines), fairly stable (low changes per week) configurations and scheduled maintenance windows where it isn't an issue for me, luckily.

If you absolutely need no interruption I'd go with both rizwanr74's good advice to add the new permit before deleting the old one, plus (if applicable to your firmware version) the asp rule-engine thing.

-- Jim Leinweber, WI State