I am using algosec fireflow for policy deployment in ASA firewalls.. algosec requires grouping of multiple IPs/Services into a single object..
for ex.. source 184.108.40.206, 220.127.116.11 destination 18.104.22.168 , 22.214.171.124 , 126.96.36.199 service : https , ssh , http
I normally do not club the IPs into a group name but algosec groups the source as gr-src-reqid ,destination as gr-dst-reqid and service as gr-srv-reqid.. thus creating individual objects for src,dest and service respectively.. therefore, in each deployment request multiple objects will be created.... can this many object creation adversely affect the firewalls ? Is it a best practice to do so ?
If you are going to use object groups, you can use the command "object-group-search access-control", this optimises ACLs preventing object group expansion, which reduces memory utilization with minimal additional CPU overhead.
Recommended in the following Cisco Live presentation.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 188.8.131.52Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 184.108.40.206R1(config-ikev2-keyring-pee...