Hello. We've recently outsourced a large IT project to a very well known solutions provider. The infrastructure is being hosted at their facility, with about 40 servers, segregated into different security zones using an FWSM in a 6500 (our original design). We've recently come to discover that the FWSM, which we bought and is being used only for us, has over 41,000 rules on it already.
After being able to look at the rule base, we've noticed a lot of very strange things. There are approx 20 domain controllers on scattered around various parts of our network, each needing to get out on the network on the exact same ports. But, what we've noticed that what they've done is create a separate rule (ACL) for every server and every port that is needed. This alone translates to somewhere in the neighborhood of 18,000 rules.
Would it not have made sense to use an object group (I'm not an FWSM expert, we assumed the solution provider was) in order to cut down on the number of ACL's, or would it still somehow add up to the same number? We are already almost half way through the allowed number of rules on the FWSM.
Thanks for the response. One thing I'm having trouble wrapping my head around is how we can be using 41,000 rules in an environment that only has 40 servers.
One obvious problem I can see is that only two domain controllers actually exist at the providers location, but they have rules to and from all of them. For example, DC1 --> DC2 on x ports, but neither of these DC's even exist at that location. Apparently someone just got the list of DC's, and entered the same rules for each DC. This accounts for at least 5000 rules that I can count so far.
access-list test permit ip host 10.10.10.1 192.168.1.1
Then it will only take two nodes space counted as just one ACE. At the same time if you have an object group for the source and have 5,6 hosts and another object group for the destination with 5,6 hosts and allow only tcp ports (may be 10-20) now this will tree down to many ACE.
If you have a lab setup you are welcome to issue a clear config access-list and remove all the access-list and add one by one and look at the sh np 3 acl count.
Also, if you issue "sh run access-list" and see ACE with zero hitcounts you should try to remove them.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...