Solved: Re: ASA firewall rule order

irbk · ‎06-16-2023

Cisco ASA 5525-x running ASA 9.14(3)

I'm coming into a ruleset that I did not create. I want to optimize the rules so I can squeeze every last ounce of OOMPH out of this guy. Traditionally I've always tried to put most used rules at the top of the ruleset and once the top hit rules were done, go from more specific to least specific. Theory being that if you've got a few rules that a majority of your traffic is going to hit (assuming your also not blocking said traffic somewhere else), you want them at the top so that the firewall doesn't have to parse through XX other rules first, thereby making your firewall more efficient.
However, today I've found this webpage https://www.tufin.com/blog/tufin-firewall-expert-tip-3-best-practices-for-optimizing-firewall-performance which states "Place the heavily used firewall policy rules near the top of the rule base. Note that some firewalls (such as Cisco Pix, ASA version 7.0 and above, FWSM 4.0 and certain Juniper Networks models) don't depend on rule order for performance since they use optimized algorithms to match packets."
This is the first I'm hearing of this. Is this true? Will reordering my rules not have any effect on performance?

Sheraz.Salim · ‎06-18-2023

Cisco ASA firewalls indeed employ a process known as "fast path" or "accelerated security path" for packet processing. Here

The fast path functionality allows the firewall to efficiently handle packets by leveraging a specialized hardware component called the Security Services Processor (SSP). This component takes charge of tasks such as packet classification, stateful inspection, and other security features, effectively offloading these responsibilities from the main CPU. Notably, the fast path operates independently of the rule order and does not require sequential rule evaluation for each packet.

Consequently, the impact of rule ordering on firewall performance is significantly reduced for Cisco ASA firewalls running version 7.0 and above. While rule order may still have relevance in specific scenarios, such as when using features that necessitate more detailed inspection or when certain rules explicitly terminate traffic flows, its impact on overall firewall performance is generally minimal.

However, it's important to note that rule order can still be relevant for ease of administration and maintaining a clear rule set. Placing frequently used or critical rules at the top of the rule set can enhance the intuitiveness and manageability of the firewall configuration.

In summary, for Cisco ASA firewalls running version 7.0 and above, rule ordering is not a significant factor in performance optimization due to the fast path processing capabilities. Instead, it is recommended to focus on organizing the rule set for ease of management and maintaining clarity. This approach will ensure efficient administration while leveraging the optimized packet processing capabilities of the firewall.

please do not forget to rate.

View solution in original post

MHM Cisco World · ‎06-16-2023

https://www.linkedin.com/pulse/object-group-search-underrated-new-feature-nikolaj-pabst-nielsen

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule lookup performance. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.
You can improve system performance and reliability by using the transactional commit model for access groups. See the basic settings chapter in the general operations configuration guide for more information. Use the asp rule-engine transactional-commit access-group command.

I dont know what you meaning, but fastpath is different than the order the ASA/FPR check the ACL.
above two command enhancement the ASA/FPR check order of ACL.

also As I mention before do plane for your ACL before apply it.
THANKS
MHM

Sheraz.Salim · ‎06-18-2023

Cisco ASA firewalls indeed employ a process known as "fast path" or "accelerated security path" for packet processing. Here

The fast path functionality allows the firewall to efficiently handle packets by leveraging a specialized hardware component called the Security Services Processor (SSP). This component takes charge of tasks such as packet classification, stateful inspection, and other security features, effectively offloading these responsibilities from the main CPU. Notably, the fast path operates independently of the rule order and does not require sequential rule evaluation for each packet.

Consequently, the impact of rule ordering on firewall performance is significantly reduced for Cisco ASA firewalls running version 7.0 and above. While rule order may still have relevance in specific scenarios, such as when using features that necessitate more detailed inspection or when certain rules explicitly terminate traffic flows, its impact on overall firewall performance is generally minimal.

However, it's important to note that rule order can still be relevant for ease of administration and maintaining a clear rule set. Placing frequently used or critical rules at the top of the rule set can enhance the intuitiveness and manageability of the firewall configuration.

In summary, for Cisco ASA firewalls running version 7.0 and above, rule ordering is not a significant factor in performance optimization due to the fast path processing capabilities. Instead, it is recommended to focus on organizing the rule set for ease of management and maintaining clarity. This approach will ensure efficient administration while leveraging the optimized packet processing capabilities of the firewall.

please do not forget to rate.

irbk · ‎06-19-2023

Thanks! That's exactly what I needed to know! One follow up question, rule order still matters as far as allows and denys go, right? IE Rule 7 says Server1 deny any access to any RFC1918 address and then rule 8 says Server1 permit any http/https access to any address, server 1 can get to anything on the internet and can't get to any RFC1918 address.

Sheraz.Salim · ‎06-19-2023

That's correct the rule order does matter, let me explain this in more detail.

The ASA firewall order of rules holds significant importance in determining access permissions within ASA firewall. Allow me to provide an example to emphasize this point: Let's consider Rule 7, which states "Server1 should be denied any access to any RFC1918 address," and Rule 8, which states "Server1 is permitted HTTP/HTTPS access to any address."

As the firewall processes these rules, it evaluates them sequentially from top to bottom, giving precedence to the first rule that matches the traffic. If Rule 7 is positioned before Rule 8, it will be assessed first. In such a scenario, if the traffic aligns with Rule 7, the firewall will execute the deny action, and Rule 8 will not be considered. Consequently, Server1 will be denied access to any RFC1918 address.

On the other hand, if Rule 8 is placed before Rule 7, it will take priority. Should the traffic match Rule 8, the permit action will be applied, granting Server1 the ability to access any HTTP/HTTPS address, whether public or private. Rule 7, which denies access to RFC1918 addresses, will not come into effect since a match has already been found.

To achieve the intended behavior and avoid unintended access, it is crucial that we carefully arrange our allow and deny rules. I recommend placing more specific deny rules ahead of more general permit rules within our firewall rule set. I hope this make sense and clear your understanding on how the packet/traffic behaves when it comes to Cisco Firewall Engine.

please do not forget to rate.

irbk · ‎06-19-2023

Ok, that's what I thought but I wanted to verify. Thanks for the clarification!