Re: FMC Rule Organization

dominic.collins · ‎10-31-2021

I am trying to organize our FMC firewall rules and need a logical way to group them together. I have explored the usage of Categories but it seems I would be creating over 100 "Groups" to clean up the layout of the rules. Is there another option that would make grouping these easier like nested groups or Tags. What are solutions you guys have implemented?

Thanks in Advance

Mohammed al Baqari · ‎11-01-2021

It really depends on your environment. For example, you can use per VLAN
category of this is for single site. Otherwise, per port category for
common ports and one group to catch uncommon ports. For multiple sites or
multiple units you can use child acp as well.

**** please remember to rate useful posts

dcrichter · ‎11-03-2021

We too are struggling with this... and trying to have plan as we look to migrate 600+ rules from ASA. Is there any issues performance or usability in using the child acp's as a means to grouping rules by some logical segmentation? IE...below. With the last ACP in the nest applied to the Device..

- BaseACP

- ChildACP-Campus

- ChildACP-Server

- ChildACP-DMZ

- ChildACP-External_Ingress

Otherwise right now our thought is a BaseACP with a single Child.

- BaseACP - Global Mandatory Rules, SI(IP), Geo Filters in Default Section.

- Child ACP - Contains the Below.

- Mandatory Categories - Applications and Systems that need to override the Default Policies in the Base ACP - Categories are Very Specific.

- Default Categories - Organize by:

1. Application (mail, DNS, AV)

2. System (mainly complex systems to keep rules together and or by heavily used systems IE DomainConrollers.

3. Network Segment (1.Campus, 2.Server, 3.DMZ, 4.External-Ingress) This would cover broader/generic access requirements for each segment.

4. Default Block at the end.