08-03-2020 08:42 AM
Hi All,
Was wondering has anyone bulk deployed rules on an ASA using any scripts. I am generating 10000 plus to secure each communication flow in my environment. Is there anything i need to watch out for? I know one ACE is about 212 B of memory so i should be ok. Any advice on how to manage such a large number of rules?
08-03-2020 12:36 PM
Is this a new deployment or adding 10000+ rules to an existing ASA?
What type of script will you be running to deploy these rules?
08-03-2020 06:13 PM
08-04-2020 06:26 AM
Instead of doing a copy paste, I would suggest moving the access rules into a .cfg file, copy that file to the ASA and then copy the contents of the file to the running-config (f.ex. copy disk0:access-rules.cfg running-config). This is a better way than just doing a plain copy paste. Then verify the rules are added as expected before saving the configuration. If the ASA is in an HA deployment then I would suggest taking the standby ASA offline during the deployment and then add it back after everything is verified. The reason for this is if you for whatever reason need to do a rollback you can just reload the primary ASA and the startup config will be loaded, if you have the standby ASA connected then the new configuration will be replicated to the standby and performing a cleanup will become more of a hastle.
08-04-2020 07:05 AM
08-04-2020 07:19 AM
When copying the configuration from the file to running-config, you will only be copying it to the NVRAM which is wiped upon reload. If you copy it to startup-config that is another story, then you will be stuck with it upon reload.
I have not seen a firewall with that many access rules. The max number of rules I have seen at my clients is around 600.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: