When I have an event logged that I need to allow is it best practice to clone only the offending rule module and change the rules in that module as needed or should I also clone the policy and then clone the rules?
This is new rollout just so you know.
Do you create new groups to reflect job duties (Accounting, HR, ETC) and then manually add policies?
By default, CSA chooses to create exceptions to rule modules, not change the rules. That keeps your original rules intact. I pretty much follow this unless I have a good reason not to. I don't clone anything unless I'm going to make major changes to the orignal rules or I'm doing some testing.
Modifying the original rule does have the advantage of not forcing the host to process extra rules but can backfire if the exception is too broad.
All our Desktop and laptop PCs belong to one group so I only have to manage a few policies.
I do create additional groups for specific machine roles and add some PCs to that group as well. For example, we have a group that's allowed to run web process on a PC so those in that group can and no one else is allowed.
When you create an exception to a rule, you are typically creating an 'allow' rule whereas the original rule is a 'deny'. The wizard produces an exception for that specific event. The 'allow' rules are processed before the 'deny' rules. So events will still be blocked if they do not match the criteria of the exception. It is up to you to determine if the exception is overly broad.
I also never put the exception rules into the default policies they are designed to augment. I create a seperate policy and sometimes a group just for exceptions (Desktop Exceptions Policy). That way you essentially have one location to look for rules that you have previously created that may be modified if you run into a similar event later. Additionally, if you need to troubleshoot, there is only one location for rules. Typically, I have a "desktop exception policy", "server exception policy" and sometimes a policy that covers all hosts such as an Enterprise Exception Policy.
When running the wizard you can specify what policy to place the exception rule.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...