cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1176
Views
0
Helpful
5
Replies

10000+ rules on a Cisco ASA 5545-X

asidd
Level 1
Level 1

Hi All,

Was wondering has anyone bulk deployed rules on an ASA using any scripts. I am generating 10000 plus to secure each communication flow in my environment. Is there anything i need to watch out for? I know one ACE is about 212 B of memory so i should be ok. Any advice on how to manage such a large number of rules?

5 Replies 5

Is this a new deployment or adding 10000+ rules to an existing ASA?

What type of script will you be running to deploy these rules?

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,
Existing ASA.
Script is just on the logs we collect in excel. Nothing directly on the firewall as it is too risky. But once we have a desired outcome on excel it is going to be copy pasted into the firewall.

Instead of doing a copy paste, I would suggest moving the access rules into a .cfg file, copy that file to the ASA and then copy the contents of the file to the running-config (f.ex. copy disk0:access-rules.cfg running-config).  This is a better way than just doing a plain copy paste.  Then verify the rules are added as expected before saving the configuration.  If the ASA is in an HA deployment then I would suggest taking the standby ASA offline during the deployment and then add it back after everything is verified.  The reason for this is if you for whatever reason need to do a rollback you can just reload the primary ASA and the startup config will be loaded, if you have the standby ASA connected then the new configuration will be replicated to the standby and performing a cleanup will become more of a hastle.

--
Please remember to select a correct answer and rate helpful posts

Thanks Marius. The firewall is in HA.
For roll-back if i have saved the config in previous step wont it roll-back to the startup config in which case the "rules" are still there.
Also in your experience or a general question for this community have we seen firewalls with that many rules? If yes any tips on management of those rules and policies.

When copying the configuration from the file to running-config, you will only be copying it to the NVRAM which is wiped upon reload.  If you copy it to startup-config that is another story, then you will be stuck with it upon reload.

I have not seen a firewall with that many access rules.  The max number of rules I have seen at my clients is around 600.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: