Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Migrate network object group members; risk

       We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

1 REPLY
Community Member

Migrate network object group members; risk

John,

if you feel that is risky, you can always go for plan B.

- you can take closure look at the object groups and decide new object naming convention policy.

- from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them

- you can see same services used in couple of rules with different service groups.

     - like object-group service WEB-PORTS tcp

                    port-object eq http

                    port-object eq https

             object-group service APPLICATION-PORTS tcp

                    port-object eq http

                    port-object eq https

               object-group service APPS-PORT tcp

                    port-object eq www

                    port-object eq https

- you can replace all these different object-group with one object group. like WEB-PORTS.

- same way you can do excercise for network group as well.

hope this helps.

JD...

254
Views
0
Helpful
1
Replies
CreatePlease to create content