Migrate network object group members; risk

john.cunningham · ‎12-30-2013

We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

Jigar Dave · ‎12-30-2013

John,

if you feel that is risky, you can always go for plan B.

- you can take closure look at the object groups and decide new object naming convention policy.

- from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them

- you can see same services used in couple of rules with different service groups.

- like object-group service WEB-PORTS tcp

port-object eq http

port-object eq https

object-group service APPLICATION-PORTS tcp

port-object eq http

port-object eq https

object-group service APPS-PORT tcp

port-object eq www

port-object eq https

- you can replace all these different object-group with one object group. like WEB-PORTS.

- same way you can do excercise for network group as well.

hope this helps.

JD...