07-12-2020 04:14 AM
Hello Community,
we are in process of migrating our ASA's to FTDs and manage them through FMC but we have noticed that the current "Cisco Firepower Migration Tool" is just transforming the codes as is without any optimization or intelligence. for example, there might but a duplicate lines in the policies or lines that will never be reached. is there any other tools that we can use providing that we have FTD 4K and virtual FMC300?
Solved! Go to Solution.
07-12-2020 04:30 AM
Hi Feras,
actually, you can utilize Cisco Defense orchestrator (CDO) migration tool as it gives exactly what you need. you can have the CDO just in the migration phase and then roll back the FTD to the FMC for management. you can purchase the CDO subscription for a couple of months as the price is relatively cheap
quoted from the link above:
---------
Resolve Network Object Issues
Start to optimize the security policies on your ASAs by resolving issues with network policy objects.
• Unused objects—CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them.
• Duplicate objects—Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.
• Inconsistent objects—Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.
--------
07-12-2020 04:30 AM
Hi Feras,
actually, you can utilize Cisco Defense orchestrator (CDO) migration tool as it gives exactly what you need. you can have the CDO just in the migration phase and then roll back the FTD to the FMC for management. you can purchase the CDO subscription for a couple of months as the price is relatively cheap
quoted from the link above:
---------
Resolve Network Object Issues
Start to optimize the security policies on your ASAs by resolving issues with network policy objects.
• Unused objects—CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them.
• Duplicate objects—Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.
• Inconsistent objects—Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.
--------
07-12-2020 07:14 AM
CDO is a very good option - even as an intermediate step as proposed here. It will also pickup shadowed rules.
An alternative I have used that will pickup unused objects and ACLs in the free config cleanup tool at tunnelsup.com.
https://www.tunnelsup.com/config-cleanup/
Not as full-featured as CDO but it's absolutely free - you don't even need to register.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide