Cisco FMC Variable Set Query

SHABEEB KUNHIPOCKER · ‎02-03-2025

Hello All,

We are migrating from ASA+SFR to FTD. I used the migration tool and migrated the ASA policies to FMC. I was tuning the policies after migration to the FMC and have some doubts regarding the variable sets. Please find the questions below.

What is the purpose/advantage of variable sets?. Is it mandatory to configure new variable sets or modify the default variable set?.
In our case we have 3 segments : Inside Segment, Multiple DMZ segments and Internet Segment. So in the variable set how should we configure the HOME_NET and EXTERNAL_NET?. What should we put in HOME_NET and EXTERNAL_NET?.
Should we configure multiple variable sets and assign it based on the traffic direction?.

I was planning to configure 3 variable sets:

Rules for Inside to Internet , Inside to DMZ and DMZ to Inside : Variable Set A (HOME_NET – Inside Subnets with DMZ subnet exclusion, EXTERNAL_NET - !HOME_NET)
Rules for Internet to Inside & Internet to DMZ : Variable Set B (HOME_NET – Inside and DMZ Subnets, EXTERNAL_NET - !HOME_NET)
Rules for DMZ to Internet : Variable Set C (HOME_NET – DMZ Subnets, EXTERNAL_NET - !HOME_NET)

Please advise.

BR

Shabeeb

Sheraz.Salim · ‎02-03-2025

Variable sets are employe in order for you to manage and customize variables used in intrusion rules, the purpose is to help the defined/given network enviroment more grulner/fine-tune(improving the efficeny) to reduce the false positives. Variables like $HOME_NET (classified as protected network) and $EXTERNAL_NET (classified as unprotected network) these can be be customized to your specific network needs. Hence it is not mandatory to create new variable sets however doing so is recommended for best practice configuration for your(given) network rather then leave them default. here i have attached some reference guide for you Here and Here

In regards to planning your network.

Inside Segment $HOME_NET should include all internal subnets excluding the DMZ. $EXTERNAL_NET can be set as !$HOME_NET, representing everything outside the protected internal network.

DMZ Segment $HOME_NET should include DMZ subnets, while $EXTERNAL_NET can also be !$HOME_NET, ensuring external traffic is monitored.

Internet Segment: For traffic involving the Internet, $EXTERNAL_NET should represent all external traffic not included in $HOME_NET.

for your question you have asked have a read on this link it has explain in detail I have already shared above Here

you can set the logs into order to monitor them and fine tune according to your needs.

please do not forget to rate.

SHABEEB KUNHIPOCKER · ‎02-03-2025

Hello Sheraz,

Thanks a lot for your response. I can see other parameters like DNS, FTP etc in the configuration. Should we configure it or configuring HOME_NET and EXTERNAL_NET is enough?

Sheraz.Salim · ‎02-03-2025

its really depends how and what level of grunality you want to acheive. HOME_NET and EXTERNAL_NET provides you as setting up the base-line and best-security practice to start with in order to enhance the protection of network and elimante the false positives. configuration of DNS,FTD setting with HOME_NET and EXTERNAL can be highly benefical and recommanded as many snort rules can target specific protocols like DNS, FTP. I think you should be fine but if your enviroment is security sensitive in that case you might need to look into it and fine tune according to your needs.

please do not forget to rate.

Aref Alsouqi · ‎02-03-2025

Please check this post of mine about using the Snort variables and a gotcha that might make Snort unaware of an attack:

Snort HOME_NET and EXTERNAL_NET Variables