FWSM config help

S891 · ‎12-09-2012

Hi,

I have few question about FWSM configuration and best practices.

1. I have internal and external networks on both sides of FWSM. All the VLANs/IP/Ports that need to be filtered on both inside and outside are remote for FWSM and are only learned via layer 3 routing. Is it OK to configure only two interfaces on FWSM, INSIDE and OUTSIDE and route traffic accordingly?

2. Internal VLANS each have different security ACL policies. How do I differentiate between them when creating ACL rules when using only INSIDE interface for all networks? I guess one way to do is to create multiple object groups for each VLAN and define ACLS accordingly??

3. Is it OK if you mix and match multiple permit and deny statements in this case? For example, for one object group there will be some deny and some permit statements and then for next object group there will be some deny and permit statements. Does it work? Is it scalable?

4. When a packet arrives on the interface, does the entire ACL is checked, or it exits as soon as it matches a permit or deny?

5. Do you need to specify an explicit deny at the end or is it there by default?

Thanks

Jouni Forss · ‎12-09-2012

Hi,

I guess you dont have a choice if you cant somehow separate the different networks and bring them to the FWSM with their own interfaces and in this way simplify each interface/networks rules regarding the FWSM? In general I don't see a problem with having only 2 interfaces but don't really know what kind of network you are talking about.
I imagine thats your only chance if you can't bring different Vlans to the FWSM with their own interfaces. If you have alot of different networks to manage with ACLs, object-groups should make the job of creating and managing those ACLs a bit easier.
- It seems to me that all traffic between these Vlans isn't passing through the FWSM but through a router? Only the traffic from LAN to WAN networks would pass through the FWSM?
I wouldnt think its that uncommon to do that. Usually when you just can't permit all traffic theres usually first "Deny" rule to limit some source networks connections and then permit the rest.
- I think it should work but it all depends on how large the network in question is? I have run into a situation previously where a customer wanted to build very specific rules for very large amount of networks on a FWSM (running in multiple context mode) Eventually the FWSM resource limit was hit and no more ACEs/ACLs could be configured. Only options were to clear up the ACLs or change the resource allocation on the FWSM (as other Contexts didnt need as much recourses)
To my understanding the ACL is gone through from top to bottom until the first match.
If you only allow exactly what you need to allow you wont have to add any additional "Deny" rules.

- Jouni

S891 · ‎12-09-2012

Thanks for your reply, Jouni.

1. Internal networks are a mix of user VLANs, server farms etc. External network is all internet. This FWSM is going to be on Internet Perimeter router.

2. I cannot bring internal VLANs to FWSM and make it L3 gateway. Traffic between all internal vlan is through routers. It is only when they need to go to internet they will pass through FWSM.

3. I am guessing for each object group there will be "deny" statements at the top and then "permit" statements.

Can it me multiple permit statements and then deny all" for the object group? It is not a very large network .

Jouni Forss · ‎12-09-2012

Hi,

There is really no limitation on how many permit or deny statements to have other than the devices resources (which probably wont be the case) and that there cant be 2 identical statements (As an exception to this is configuring an ACL line and there being also that identical rule in a ACL rule which uses object-group)

A normal case where you might have permit and deny ACL rules after eachother is for example first allowing SMTP connections to some servers then blocking all the rest of the SMTP connections in the next ACL rule.

- Jouni