Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
2
Replies

Cisco FTD/FMC & best practices on how to handle large number of ACRs

IamSamSaul
Level 1
Level 1

‎09-13-2021 03:39 AM

Hi there,

 

Is there any best practices available when there are a lot of Access Control rules configured in FMC/FTD? We have more than 400 access rules and sometimes it's difficult to troubleshoot and manage them. Any suggestions will be highly appreciated.

 

Thank & Regards,

Sam

0 Helpful
2 Replies 2

Chakshu Piplani
Cisco Employee
Cisco Employee

‎09-13-2021 06:44 AM

I would start from https://community.cisco.com/t5/network-security/api-based-tool-to-save-the-access-control-policy-from-fmc-as-csv/m-p/3943079

 

Export them all to CSV and check whats needed and whats not and edit them accordingly.

Also you might want to consider the fact that each ACR expands within the box according to the variables added to it.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200522-Understand-the-Rule-Expansion-on-FirePOW.html

 

Regards,

Chakshu

 

Do rate helpful posts!

0 Helpful

Marius Gunnerud
VIP
VIP

‎09-13-2021 07:17 AM - edited ‎09-13-2021 07:18 AM

Cleaning up such rules can be time consuming.  I would first check the rule hit-counts and disable all rules that have 0 hits.  After 2 or 3 weeks if there are no complaints, go ahead and delete those rules.  Now depending on your budget, I would recommend going with a product like Algosec.  With Algosec Firewall Analyser you will get info on rule hits, which IPs and ports are being used and will be able to tighten rules that are "too open".  It will also provide you with an analysis of rules that are covered by other rules (for example, you have a rule allowing 1.2.3.4 towards 4.3.2.1 on port tcp/80 but another rule further down is defined as 1.2.3.0/24 towards any for all ports).  Also it will uncover unused objects and "Risky Rules".  The analysis can of course be customised to suite your environment.

Otherwise, you would need to create your own script that would go through all the rules and suggest changes.

@Chakshu Piplani - I am unaware of Cisco having such a product in its portfolio, do you know of any plans for bringing something like Algosec to the market? Perhaps integrate it with the Firepower portfolio?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card