09-03-2019 10:46 PM - edited 02-21-2020 09:27 AM
Hi,
I have a question in creating most effective way on object-groups.
I have two hosts in different public cloud coming into my onprem network and talking to two hosts in same network behind firewall, what would be the best way to create object-groups and make acls.
options:
1. should i create separate object-group for each host and make an acl accordingly.
2. should i create a single object-group for hosts in public cloud and another object-group for hosts in internal work and map them with acl.
3. should i create separate object-group for each host on public cloud, single object-group for internal hosts and create 2 acl's mapping first public object-group with internal object-group and second object-group with internal object-group.
Please provide me suggestions, as connections coming from public network i want firewall rules to be more precise.
09-04-2019 12:25 AM
Personally i would go with One Object Group for external one, and one for internal one.
Since most of the traffic coming from outside interface and going to inside interface.
Until you have different nameif and different context in place.
09-04-2019 02:42 AM
The question is more what your security-policy mandates here. If you use the host-to-host approach (probably also including services) that it is more precise, but also more work. But typically this is the way to go to only allow the traffic that is really needed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide