cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1540
Views
15
Helpful
18
Replies
Antonio Macia
Participant

Firepower migration tool

Hello,

 

After migrating the firewall policy from an ASA to Firepower most of the objects in the rules were automatically grouped and named using the "DM_INLINE_NETWORK" or "DM_INLINE_SERVICE" naming convention. This difficult a lot the understanding and visibility of the policy. Is it possible to disable the grouping so the rules appear as they used to in the ASA?

 

Regards.

18 REPLIES 18
Marvin Rhoads
VIP Community Legend

You can't disable the grouping as far as I know.

 

However if you start with an ASA config that has well-defined named groups (network objects, object groups etc.) they should be retained in the Firepower configuration.

Thanks, Marvin,

 

The ASA policy does have well-defined objects. For instance, an original ASA ACE that has 4 individuals objects as a destination get grouped under the "DM_INLINE_NETWORK_54" group when migrated. Same occurs for ports.

Only those ACEs where there is just a single object do not get grouped. 

This is very frustrating because although the rules are there, the policy changes make it unmanageable. 

 

Regards.

Unfortunately, there is no way around this. The "DM_INLINE" objects are created by the ASDM when you edit or create network/service object groups on the GUI. The ASDM somehow understands the mapping and shows you the right groups separately, but the CLI still has the DM_INLINE references. Since you use the CLI config to migrate to the Firepower, this gets carried over. I really wish they did something about this in a later version of the migration tool. 

Hey Rahul - correct me if I'm wrong but if you create well-named Network objects and groups in ASDM and then use those in your NAT rules, ACL entries etc. they will carry over as-is in the converted configuration - correct?

 

Only if you just click to add them graphically in ASDM directly (without first creating groups) will you get DM_INLINE objects.

Yes @Marvin Rhoads, that is correct. If you use just a single pre-defined object group, then this is ok. But if you add more than 1 object/object-group in a single ACE, then the ASDM automatically bunches them into another object group with the DM_INLINE reference. 

 

The problem is that ASDM has no indicator that DM_INLINE object-groups are being created, this is all in the backend (or use the preview commands feature of ASDM). So, if an administrator has been using ASDM in the past, there is most likely a bunch of rules with that reference that they don't know about until they look at the CLI. 

Thanks @Rahul Govindan and @Marvin Rhoads for giving some light into this. I'm afraid manual work will be necessary to get rid of these DM_INLINE objects...

@Antonio Macia With Firepower Migration Tool R1.1 you should be able to rename objects (bulk supported) within the tool itself. Here is the link to download the tool: https://www.cisco.com/c/en/us/products/security/firewalls/firepower-migration-tool.html

 

ASA rule optimization features explained here: https://www.youtube.com/watch?v=o2EIOh8s1Lo&t=1s

 

@Munib Shah: Great to hear that this is fixed in the new version of the tool. 

Thanks Munib. Sounds great!

I'll give it a try.

Migration tool can be used only copying Objects and Services to FMC?

Yes definitely. Just choose only Network and Port objects in the Selective Policy section (Step 2)

Nice, thanks, but it taking 30mins so far with

 

Parsing in progress. Please refer to console logs for more details
  

May i know your FMC and tool version?

 

From FMC 6.2.3.3 onward objects are pushed in bulk (1000 in one call) which should be much faster than it was before.

 

You can use the console window of the tool to verify which ones are currently being pushed.

FMC is FMC Version: 6.2.3 (build 83)

Tool is Firepower_Migration_Tool_v1.2.0.2-2518.exe

Content for Community-Ad

This widget could not be displayed.