After migrating the firewall policy from an ASA to Firepower most of the objects in the rules were automatically grouped and named using the "DM_INLINE_NETWORK" or "DM_INLINE_SERVICE" naming convention. This difficult a lot the understanding and visibility of the policy. Is it possible to disable the grouping so the rules appear as they used to in the ASA?
You can't disable the grouping as far as I know.
However if you start with an ASA config that has well-defined named groups (network objects, object groups etc.) they should be retained in the Firepower configuration.
The ASA policy does have well-defined objects. For instance, an original ASA ACE that has 4 individuals objects as a destination get grouped under the "DM_INLINE_NETWORK_54" group when migrated. Same occurs for ports.
Only those ACEs where there is just a single object do not get grouped.
This is very frustrating because although the rules are there, the policy changes make it unmanageable.
Unfortunately, there is no way around this. The "DM_INLINE" objects are created by the ASDM when you edit or create network/service object groups on the GUI. The ASDM somehow understands the mapping and shows you the right groups separately, but the CLI still has the DM_INLINE references. Since you use the CLI config to migrate to the Firepower, this gets carried over. I really wish they did something about this in a later version of the migration tool.
Hey Rahul - correct me if I'm wrong but if you create well-named Network objects and groups in ASDM and then use those in your NAT rules, ACL entries etc. they will carry over as-is in the converted configuration - correct?
Only if you just click to add them graphically in ASDM directly (without first creating groups) will you get DM_INLINE objects.
Yes @Marvin Rhoads, that is correct. If you use just a single pre-defined object group, then this is ok. But if you add more than 1 object/object-group in a single ACE, then the ASDM automatically bunches them into another object group with the DM_INLINE reference.
The problem is that ASDM has no indicator that DM_INLINE object-groups are being created, this is all in the backend (or use the preview commands feature of ASDM). So, if an administrator has been using ASDM in the past, there is most likely a bunch of rules with that reference that they don't know about until they look at the CLI.
@Antonio Macia With Firepower Migration Tool R1.1 you should be able to rename objects (bulk supported) within the tool itself. Here is the link to download the tool: https://www.cisco.com/c/en/us/products/security/firewalls/firepower-migration-tool.html
ASA rule optimization features explained here: https://www.youtube.com/watch?v=o2EIOh8s1Lo&t=1s
May i know your FMC and tool version?
From FMC 126.96.36.199 onward objects are pushed in bulk (1000 in one call) which should be much faster than it was before.
You can use the console window of the tool to verify which ones are currently being pushed.