01-09-2011 05:39 AM - edited 02-21-2020 04:12 AM
Hi,
I have many FWs managed by CSM 3.3.1 SP1. Number of rules on each firewall ranges from hundreds up-to more than 30 thousands of lines as summation for all active ACLs on the FW. After start using CSM to manage these Firewalls, recently we noticed that some ACL lines or static translations are disappear from the FW although they are existing on the CSM topology (ACL list in CSM). We are suspecting few possible causes and one of them having CSM ignoring some lines during deploying the rules to the remote site. Links speeds are ranging from 256k up to 2M on some sites that we are facing problem with.
We need feedback on the following:
- Is this behavior related to bug.
- Is there any limitations or recommendations on the links speed between CSM server and the remote firewalls.
- Is there any possibility that CSM omit some rules or configuration while transferring these changes to the remote firewall, or possibility of having some of these configurations not transferred successfully to the FW due to link performance issues, etc,… in this context, kindly explain the methods or techniques that CSM use to ensure reliability of the configuration and detection capabilities of any errors during the transfer.
Regards,
Muhannad
01-10-2011 02:42 AM
To address your questions, when CSM send configuration to the device it waits for a response. You can see the deployment transcripts that include these responses.
So even if there is packet loss between the devices and CSM you would see delay in the deployment, but it doesn't make sense for "some" of the commands to not by deployed.
I hope it clarifies it a little..
PK
01-10-2011 07:12 AM
Hi PK,
Many thanks for the response.
I will be checking the deployment transcripts that include these responses but what i am experiencing here is that some rules of the PIX are deleted once i am running the CSM deployment job, the only thing that has been verified that these firewalls are located in another countries which mean that they are located in very large geographical distances from the CSM.
I am not sure if this due and limitations of the latency or the BW, also i am not sure about if the logs and debugs can guide me to something useful!
Regards,
Muhannad
01-10-2011 07:46 AM
I would suggest you to check the last deployment transcript for these devices to see if CSM deployed any commands to remove the lines in question.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide