Recently we have seen a problem in some organizations where a management console was being used to automatically generate firewall rules across multiple firewalls.  These consoles tend to generate lots of very simple, primitive rules that specify a single source, destination, and service and that do not use object groups.  Over time, the console will generate lots of these primitive rules, resulting in very large rulesets. This problem becomes compounded when the network administrators decide to switch to a different firewall management product.  Suddenly they are faced with a large and complex rulebase that is difficult to understand and manage.

The size of the rulebase in each firewall can be significantly reduced by a process, based on rule aggregation, that creates large address and service objects and new replacement rules that use them. This has the potential of providing order of magnitude reductions in the number of rules in the rulebase.

The process consists of initially creating objects on one (source, destination or service) dimension at a time, based on the number of rules that the object covers in that dimension. This step requires powerful analysis capabilities and  cannot be done manually or by using simple scripts. The initial step is followed by further iterations to create new replacement rules that contain objects in two dimensions, and then finally in all three dimensions. Athena FirePAC, unlike other firewall analysis products, provides features such as content-based rule search and filtering on source, destination, and service elements to quickly isolate the rules that can be aggregated.  FirePAC also has the capability to create scripts that generate the replacement rules at each iterative step to minimize errors.

When multiple firewall configurations are involved, it is also good practice to standardize the objects used across the firewalls for better management. Athena Security has special tools and processes for object standardization and automated generation of all the firewall configurations using the standardized objects.

Check out FirePAC’s features for rule and object cleanup.  You can download it for free and have it up and running in minutes.

The new Cisco ASA 8.3 offers benefits related to SSL VPN for which you might really have a need.

But upgrading to Cisco ASA 8.3 requires awareness and caution around the significant architectural differences involving NATs and ACLs.

To understand these issues in more detail, see a very helpful post by David White on Cisco’s Support Forum and read the post by Athena’s Chandra Reddy.

Rather than throwing everything out and re-writing your NATs from scratch (as some frustrated users have suggested), you can turn to solutions like Athena FirePAC to make the transition far easier and also validate that your upgrade has been completed correctly.

With the new FirePAC support for Cisco ASA 8.3, Athena has taken special care to understand all of the pitfalls that can happen by migrating to ASA 8.3 and offers two significant ways to help you accomplish this task:

How Athena FirePAC can help for ASA 8.3

1. Traffic flow analysis for the new ASA 8.3 model. This is really useful as a troubleshooting tool for the new ASA model, especially during the initial phases when it is still unfamiliar to users.
2. Identifying gaps between the original and migrated configurations. Athena FirePAC can be used to understand:
   1. If the NAT rules with NAT-control enabled are migrated properly
   2. The various exceptions that are possible when NAT control is enabled are migrated properly
   3. The various exceptions even when NAT control is disabled are migrated properly
   4. If the implicit twice NAT rules are migrated properly
   5. The order of the Dynamic NAT, Static NAT, Identity NAT, NAT Exemption statements is preserved
   6. If mapped addresses are replaced with the REAL IP addresses when migrating the access lists

Athena Security is committed to offering tools that make enterprise firewalls easier to use and manage.  NAT confusion is one of the most common reasons that firewalls do not behave as intended.  For more information on how to address firewall complexity, check out the focused solution options available in Athena FirePAC.