Best strategy for large scale rule base modifications

Unanswered Question
Feb 25th, 2008

I am going to be doing a very significant number of config changes to a production Pix 525. This includes removing entire access lists, some objects, shutting down some unused interfaces, adding some new object groups, removing some access list entries in rules etc. Essentially - is a major spring clean. Im debating whether to just totally erase the existing config and tftp the new one straight in - or edit the current one bit by bit to get it how I want it. My instinct is just to erase - and load new config. This feels the cleaneset least risky option (obviously I will back up configs). The Pix can have some downtime as is part of a failover pair. So - what is the intelligence here -? do the mods via one clean hit - or carefully modify the exisiting config "piecemeal fashion"?

By the way the current config is 20 pages long. My mods reduce this to 12. Thanks in adavance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Fri, 02/29/2008 - 12:41

The better option would be to erase the entire configuration and then copy the new one at one go. This will take only a small amount of time but will save a lot of effort that would be required for troubleshooting if the step by step process does not goes smooth.

onlyabhishek007 Fri, 03/07/2008 - 00:27

first u go to plan a new configuration which u need to implement on the firewall then copy your current configuration on the notepad and edit that as u need and taking downtime . erase the cong and copy new configuration from notepad to pix

Actions

This Discussion