Best practices regarding Service Groups in Cisco ASA

trylvis123 · ‎02-14-2017

Good day,

I wonder if there is any best practice guideline regarding the use of TCP/UDP Service Groups, instead of several one-port access-rules

For example, if you have several subnets who need to talk to some domain controllers in one subnet, for AD-traffic - it quick get a lot of access-rules if you use one rule per port. On the other side, you can easily see which rules have hits, and who have no hits - and might be removed.

I'm thinking of creating a Service Group for all AD-traffic, so I only need one rule for each interface for this traffic.

Any downsides doing this? Do use of Service Groups impact performance?

Thanks.

Farhan Mohamed · ‎02-14-2017

Please check the below link for best practices guide:-

http://www.cisco.com/c/en/us/about/security-center/firewall-best-practices.html

Best practices regarding Service Groups in Cisco ASA

Cisco ISE Certificate Change - Considerations and Best Practices

Re: ASA: Best practices for remote access VPN performance optimization

Cisco Identity Services Engine (ISE) Trainings

EU Digital Services Act (DSA)

Cisco Umbrella Web Policy Best Practices