10-15-2018 02:05 AM - edited 03-12-2019 07:01 AM
Hello,
After migrating the firewall policy from an ASA to Firepower most of the objects in the rules were automatically grouped and named using the "DM_INLINE_NETWORK" or "DM_INLINE_SERVICE" naming convention. This difficult a lot the understanding and visibility of the policy. Is it possible to disable the grouping so the rules appear as they used to in the ASA?
Regards.
10-15-2018 04:21 AM
You can't disable the grouping as far as I know.
However if you start with an ASA config that has well-defined named groups (network objects, object groups etc.) they should be retained in the Firepower configuration.
10-15-2018 08:14 AM
Thanks, Marvin,
The ASA policy does have well-defined objects. For instance, an original ASA ACE that has 4 individuals objects as a destination get grouped under the "DM_INLINE_NETWORK_54" group when migrated. Same occurs for ports.
Only those ACEs where there is just a single object do not get grouped.
This is very frustrating because although the rules are there, the policy changes make it unmanageable.
Regards.
10-15-2018 08:47 AM
Unfortunately, there is no way around this. The "DM_INLINE" objects are created by the ASDM when you edit or create network/service object groups on the GUI. The ASDM somehow understands the mapping and shows you the right groups separately, but the CLI still has the DM_INLINE references. Since you use the CLI config to migrate to the Firepower, this gets carried over. I really wish they did something about this in a later version of the migration tool.
10-15-2018 08:53 AM
Hey Rahul - correct me if I'm wrong but if you create well-named Network objects and groups in ASDM and then use those in your NAT rules, ACL entries etc. they will carry over as-is in the converted configuration - correct?
Only if you just click to add them graphically in ASDM directly (without first creating groups) will you get DM_INLINE objects.
10-15-2018 09:17 AM
Yes @Marvin Rhoads, that is correct. If you use just a single pre-defined object group, then this is ok. But if you add more than 1 object/object-group in a single ACE, then the ASDM automatically bunches them into another object group with the DM_INLINE reference.
The problem is that ASDM has no indicator that DM_INLINE object-groups are being created, this is all in the backend (or use the preview commands feature of ASDM). So, if an administrator has been using ASDM in the past, there is most likely a bunch of rules with that reference that they don't know about until they look at the CLI.
10-15-2018 11:49 PM
Thanks @Rahul Govindan and @Marvin Rhoads for giving some light into this. I'm afraid manual work will be necessary to get rid of these DM_INLINE objects...
10-25-2018 06:18 AM
@Antonio Macia With Firepower Migration Tool R1.1 you should be able to rename objects (bulk supported) within the tool itself. Here is the link to download the tool: https://www.cisco.com/c/en/us/products/security/firewalls/firepower-migration-tool.html
ASA rule optimization features explained here: https://www.youtube.com/watch?v=o2EIOh8s1Lo&t=1s
10-25-2018 12:14 PM
@Munib Shah: Great to hear that this is fixed in the new version of the tool.
10-29-2018 09:05 AM
Thanks Munib. Sounds great!
I'll give it a try.
02-13-2019 10:23 PM
Migration tool can be used only copying Objects and Services to FMC?
02-13-2019 10:32 PM
Yes definitely. Just choose only Network and Port objects in the Selective Policy section (Step 2)
02-13-2019 10:37 PM
Nice, thanks, but it taking 30mins so far with
02-13-2019 10:47 PM
May i know your FMC and tool version?
From FMC 6.2.3.3 onward objects are pushed in bulk (1000 in one call) which should be much faster than it was before.
You can use the console window of the tool to verify which ones are currently being pushed.
02-13-2019 10:49 PM
FMC is FMC Version: 6.2.3 (build 83)
Tool is Firepower_Migration_Tool_v1.2.0.2-2518.exe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide