Using Management Center for Firewalls 1.2
Configuring Access Rules
Download this chapter
Configuring Access RulesConfiguring Access Rules
Download the complete book
Using Management Center for Firewalls 1.2 - PDF VersionUsing Management Center for Firewalls 1.2 - PDF Version (PDF - 6 MB)
give_us_feedback

Table of Contents

Configuring Access Rules
 How a Firewall Device Stores Access Rules
 What's New
 Using Categories, Color-Coding, and Filtering
 Configuring Access Rule Tables
 Optimizing Your Policy Rules and Performance

Configuring Access Rules

Access rules are used to define your network security policy; they control the traffic that flows through a firewall device. Access rules are recognized in the form of an ordered list, which is represented in Firewall MC as a table. Rules are processed by a firewall device from first to last. When a rule matches the network traffic that a firewall device is processing, the firewall device uses that rule's action to decide if traffic is permitted. To access this feature, select Configuration > Access Rules.

Access rules comprise conditions and actions. A condition describes a traffic stream of packets. You define constraints on the source and destination device, the service (for example, protocols and ports), and the incoming interface. An action describes what should occur based on the conditions set. For example, if the packet stream meets all conditions as described and the action is set to permit traffic, the packets are sent to the destination device.

Access rules use the concept of access lists to describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both.

Each access rule defined in Firewall MC will eventually correspond to a single entry in the ACL for an interface on a particular firewall device. Access rules can be applied to the Global group, its subgroups, or individual devices. Access rules are grouped by the interface on which they are configured and enforced. Firewall MC sorts the rules by interface and uses the remaining information in the rule to create the ACE that will be included in the ACL for that interface.

Firewall MC is based on a hierarchical list of device groups containing firewall devices. Each group (also referred to as a scope) has two sets of access rules (mandatory and default); each device has one set of access rules (default). The mandatory and default access rule sets generate a block of ACEs. These ACEs are concatenated to form the ACL for an interface on the firewall device. Within each group, access rules are evaluated in the same order as you configure them. This is the default method used to permit or block traffic. The order of concatenation is:

1. Mandatory access rules.

2. Device access rules.

3. Default access rules.

Note   To determine the rules that apply to a device, you identify the mandatory rules for each enclosing group before rules set at the device level, then identify the default rules for each enclosing group after rules set at the device level.

The ACEs from the mandatory rules are ordered from the highest group (Global) down to the group that directly contains the device that cannot be overridden. The ACEs from the Default rules are ordered in the opposite direction and can be overridden.

It is likely that the resulting ACL will have ACEs that are either redundant or conflicting. Because a firewall device uses the first-match method to evaluate ACLs, these extraneous entries do not cause a problem. Mandatory rules are listed first, so they will take precedence over any rules that come later. The device rules will take effect only if no relevant mandatory rules apply. Finally, the default rules will apply if no mandatory or device-specific rules apply.

In addition to the mandatory and default scope settings, Firewall MC divides access rules into three categories:

  • Firewall rules—Rules that permit or deny a packet based on source address, destination address, source interface, and service. For more information on firewall rules, see Inserting or Editing a Firewall Rule.
  • AAA rules—Rules that control authentication, authorization, or accounting for traffic.

To define AAA rules, you must first define the rule on the firewall device in the firewall rules table. The firewall rule defines the traffic between the source and destination, and identifies the services for which the rule applies.

After you identify the source and destination for which traffic is permitted, you must define the rules in the AAA Rules table and identify the AAA control type. For more information on AAA rules, see Inserting or Editing an AAA Rule.

  • Filter rules—Rules that specify filter URLs using a filtering server such as Websense. (Currently, only filter URL is supported for this release.)

To define filter rules, you must first define the rule on the firewall device in the firewall rules table. The firewall rule defines the traffic between the source and destination, and identifies the services for which the rule applies. After you identify the source and destination for which traffic is permitted, you must define the rules in the Web Filter Rules table and determine whether to permit or deny traffic if the filter server is unavailable. For more information on filter rules, see Inserting or Editing a Web Filter Rule.

When you select Configuration > Access Rules, the page opens to display the default firewall rules for the scope selected. If no scope is selected, the Global scope is displayed.

Note   Access rules defined at the device level must be defined from Firewall MC in order to be displayed in the access rules tables.

Rules and other changes entered directly to the device are not recognized by Firewall MC. If the device has several changes that you want recognized by Firewall MC, you must delete the device, then reimport it; however, doing so results in the loss of any previous hierarchical structure, as all settings will be defined at the device scope.

If permanent changes are entered directly to the device, you can be made aware of such changes by requesting that Firewall MC generate an error or warning before you deploy updated configurations to the device. To access this feature, select Configuration > MC Settings > Management.

  • A warning permits the deployment to continue and a message appears in the deploy status window.
  • An error denies the deployment.

For more information, see Configuring Management Controls.

Before you can understand how Firewall MC generates the access rules list from its settings, you must understand how a firewall device stores access rules and how those rules are used.

Topics for discussion include:

How a Firewall Device Stores Access Rules

A firewall device uses the Adaptive Security Algorithm (ASA) to allow one-way (inside to outside) connections without an explicit configuration for each internal system and application. An example of ASA in action is FTP. The ASA analyzes the contents of the FTP control channel to allow dynamic access to the correct FTP data channels. You can configure exceptions to this algorithm so that certain traffic can access your higher security interfaces.

The ASA is a stateful approach to security. Every inbound packet is checked against the ASA and against any connection-state information in memory. This approach is regarded in the industry as being far more secure than a stateless packet-screening approach.

Each interface on the firewall device is associated with a list of access control entries (ACEs), called access control lists (ACLs). An ACL is an ordered list of rules that describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both. You can also define authentication, authorization, and accounting (AAA), and web filtering.

Each ACE describes network traffic based on source IP address, destination IP address, protocol, and possibly ports. Each ACE has an action to permit or deny. When a packet arrives at the firewall device, the device checks the ACL for the interface on which the packet has arrived. The device then evaluates the ACEs in the ACL, looking for the first one that matches the packet.

When the firewall device finds a matching ACE, the device performs the associated action either permitting the packet into the firewall device for further processing or denying entry to the packet. After finding a matching ACE, the device looks no further. If no ACE matches the packet, the packet is denied.

What's New

If you are a previous user of Firewall MC and you upgraded to Firewall MC release 1.2, you will notice design enhancements to the access rules tables:

  • Color-coding is now available to help you display rules in a rule table in color. This helps you to locate rules easily. For more information, see Using Categories, Color-Coding, and Filtering.
  • A new rules table format was designed that allows you to filter and sort a category in the rules tables, eliminating the need to review all rules in the table.
  • You can right-click in the rule tables to select the buttons shown at the bottom of the table. This simulates the act of clicking the button.
  • Wizard pages were replaced with popup windows to accelerate the process of defining and editing access rules.
  • You now can log events according to specific ACL entries (ACE) in Firewall Rule tables. For more information, see Logging Events for an ACE.
  • You can optimize your policy rules and improve system performance to dramatically compress the number of access rules required to implement a particular security policy. For more information, see Using Group Discovery.

Using Categories, Color-Coding, and Filtering

The Categories feature is designed to provide an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks in access rule tables. You can assign a category to a rule or building block when you create the rule, or you can edit the rule or building block to include category information later.

Each category is assigned a background and foreground color that is displayed in the access rule tables. Depending on your specific needs, you can use color to display rules based on the rule category, building block objects based on the building block category, or both. You can also choose to use no color-coding at all. Default categories and color combinations are provided; however, you can create your own categories and assign different background and foreground color combinations to them.

Before you can use the categories feature in a rule table, you must define the categories. To access the Categories feature, select Configuration > Building Blocks > Categories. For information on how to configure categories, see Using Categories and Color-Coding.

After you define your categories in building blocks, the next step is to assign a category to an access rule. You can select a category from a list when you insert or edit a rule. The list contains all categories that you previously defined in building blocks.

Topics for discussion include:

Examples of Associating Color-Coding with Access Rules

  • An e-commerce customer implemented a B2B network. This customer recently had to shut down the site for more than 1 day because partner connectivity was disrupted and no sales orders could be taken. The diagnosis revealed that certain ACLs for the B2B partners were inadvertently deleted.

This e-commerce customer needs the capability to associate a color (for example, red) with all access rules that are vital for the B2B network. All security admins and network admins at the company require written permission from the CIO before they can modify or delete any red rules.

  • The economic downturn forced a start-up company to create nonfinancial incentives to retain its employees. The CTO would like to allow MP3 files to be downloaded in the test lab so engineers can listen to music while they work. This is a contentious issue for the managers and lab administrators at other development sites.

The start-up company would like the capability to associate a color (for example, green) with all rules that relate to downloading MP3 files to the engineering labs. This would allow each development site to readily change the rules depending on the decision of each site.

  • A service provider must reduce costs by 50 percent or go out of business. After a lengthy investigation, the company discovered it could reduce the security budget by 50 percent by "re-using" existing firewalls for multiple customers. The company wants to explore the possibility of hosting 10 customers on a single firewall. Virtualization is not an option since capital expenditures were cut for new purchases until calendar year 2004.

The service provider needs to associate rules belonging to each customer in a single rule table, and to associate a color for each customer's rules to allow for easy debugging of specific customer problems. The service provider estimates more than 5,000 rules for the 10 customers and needs the capability to find all rules for each customer.

  • The security operations staff of an Enterprise 100 company estimates that they spend 20 percent of their time dealing with complaints from the Finance department. The Finance department is quick to report any delays in accessing their applications and has learned they can blame network outages as an excuse for not delivering financial reports on time.

The Enterprise 100 company wants to identify any rule that will affect the Finance department's access to key applications. The rules that affect the Finance department should be displayed with a color so the Security Operations department can maintain these rules and verify how often the Finance department is trying to access their applications.

Understanding the Rule Table User Interface

Figure 11-1 shows the user interface for setting color-coding, highlighting, and filtering features in the rule tables.


Figure 11-1   Rule Table User Interface for Color-Coding, Highlighting,
and Filtering


Figure 11-1 Reference  Element  Description 
1

Column list

Displays all rule table column headings. Options are:

  • Permit
  • Source Address
  • Dest Address (Destination Address)
  • Source I/F (Interface)
  • Service
  • Syslog Level
  • Logging Interval
  • Enabled
  • Category

Note Column headings vary depending upon the table you are viewing.
2

Text field

Allows you to specify an element based on your selection in the column list.
3

Filter icon

Displays all rules based on the filtering selection.
4

Highlight icon

Highlights all rules associated with the selected category.
5

Color list

Displays color selections. Options are:

  • None—(Default). No color-coding is used.
  • Rules—All rules associated with the selected category are color-coded.
  • Building Blocks—All building blocks associated with the selected category are color-coded.

Note Figure 11-1 shows color-coding being used to display rules in the table.
6

Popup icon

Opens an expanded popup window.
7

Action buttons

Displays menu of action buttons used in the rule tables. You access the popup menu by right-clicking inside the rule table. You can right-click inside the rule table to open a menu listing available action buttons, which simulates the act of clicking the button.
8

Remove Filter icon

Removes filtering query results and displays rule table in its entirety.

Note The Remove Filtering icon is visible only after you request Filtering.
9

Filter field

Displays initial filtering query request. Allows you to make a nested filter query request based on initial filtering query request results.

Note The Filter field is visible only after you request Filtering.

Table 11-1 defines the action buttons used to configure access rules.

Table 11-1   Access Rule Tables Action Buttons

Action Button Description

Insert

Adds a row in an ordered table.

Edit

Edits an existing row in a table.

View

Shows information in read-only mode.

Copy

Copies a row in a table.

Cut

Removes a row in a table.

Paste

Pastes a row that was copied or cut from a table.

Delete

Removes a row from a table.

Discover Groups

Analyzes and restructures ACLs into groups to facilitate maintenance and offer greater ease-of-use when you view rule tables. See Using Group Discovery.

View All

Displays all rules (mandatory and default) defined from Global down to the current scope.

Using the Filter Feature

The rule table can be filtered based on a particular value in a column, making it easier for you to reduce the number of visible rows and maintain objects in the rule tables.

Step 1   Select the column to filter from the column list (for example, Service).

Step 2   Enter an element to filter based on your selection in the column list (for example, TCP). Text is not case-sensitive.

Step 3   Click the Filter icon.

The table displays a subset of the total rows that include your selected filter criteria.

Step 4   To use color-coding, select from the Color list whether to color rules in the table (colors the entire row), or building blocks (colors building block objects) contained within rules in the table.

Step 5   After you view the results, you can do either of the following:

  • Remove the filter by clicking the Remove Filtering icon.
  • Make another filter request based on the initial filter results (nested filtering).



Using the Highlight Feature

The Highlight feature allows you to search for a particular value in the table without trimming the data displayed. When you highlight a row, the appearance of the row number changes to a display a white foreground and black background.

Step 1   Select the column to filter from the column list (for example, Service).

Step 2   Enter an element to filter based on your selection in the column list (for example, TCP). Text is not case-sensitive.

Step 3   Click the Highlight icon.

The table highlights all rows numbers based upon your selected highlight criteria.

Step 4   To remove highlighting, click the Highlight icon again.




Important Notes About Access Rules

  • Access rules are listed sequentially and are applied in the order in which they appear in the Access Rules table. An unwritten rule denies all traffic that is not explicitly permitted.
  • Access rules are grouped by the interface on which they are configured and enforced. Within each group, access rules are evaluated in the same order as you configure them. This is the default method for permitting or blocking traffic.
  • On the outside interface, all hosts are visible to hosts on all other interfaces. Hosts on a medium security interface are, by default, visible to hosts on higher security interfaces, but not visible to hosts on lower security interfaces unless the appropriate NAT rules have been created.
  • Rules can be applied at the global level, a group level, or to individual devices. The action can pertain to any of the following:
    • Approval (permit or deny)
    • AAA requirements
    • Passing traffic through a URL filter
  • When rules are shown at the device scope, the table is labeled as default. No mandatory setting exists at the device scope.
  • A firewall device configured from Firewall MC uses access control lists (ACLs). ACLs allows you to specify whether your firewall device should permit or block a connection from a network or host on one interface to a network or host on a different interface.
    • A PIX Firewall permits traffic from inside to outside (default) unless specifically denied in an ACL.
    • A Firewall Services Module (FWSM) denies inbound and outbound traffic (default) unless specifically permitted in an ACL.
  • Firewall MC generates only configuration files with ACLs. Conduits and outbound lists are not supported. Therefore, you must use the conversion tool on configurations with conduits and outbound lists before they can be deployed.
  • We recommend that you define translation rules and building blocks before defining rules (for example, network groups, service groups, and AAA server groups). If you are using auto-identity NAT, you do not need to define translation rules first.

Logging Events for an ACE

Firewall MC provides the ability to log events on any specific ACE in the Firewall Rule tables. Statistics and logging are provided for each flow. A flow is defined by source interface, protocol, source IP address, source port, destination IP address, and destination port. The statistics retained are the number of traffic requests permitted and denied associated with a flow by an ACE over a specified period of time. You can configure the statistics retained for each ACE according to your own needs.

When you configure a rule in the Firewall Rule table, you can enable logging for each access rule, along with a specified syslog level and interval of time.

To log events for an ACE, you must first enable the ACL Syslog setting. To access the ACL Syslog setting, select Configuration > Device Settings > Logging > ACL Syslog. For more information, see Generating Enhanced Audit Data for Firewall Rules.

Configuring Access Rule Tables

Topics for discussion include:

Inserting or Editing a Firewall Rule

Note   Use the same procedure to configure mandatory and default firewall rules for all scopes.
Before You Begin

Recommended but not required: Define a network object identifying each host or server for which a rule applies. To do this, select Configuration > Building Blocks > Network Objects.

Step 1   Select Configuration > Access Rules > Firewall Rules > [Mandatory or Default] (for example, Configuration > Access Rules > Firewall Rules > Mandatory).

The Firewall Rules page appears.

Step 2   Using the Object Selector, select the scope (if not already selected) to identify the device or device group to which the rules will apply.

Note    The Object bar displays the last scope that was selected under the Configuration tab.

Step 3   Do one of the following:

  • To insert the first row in the table, click Insert.

The Firewall Rule page appears.

  • To add another row in the table, select the check box for the row after which to add a new table row, then click Insert.

The Firewall Rule page appears.

  • To paste a row in the table that has been cut or copied to the clipboard, select the row in the table after which to add a new table row, then click Paste.
Note    Because rules are applied to an interface, you must make sure the interface specified in a rule exists on the device to which you are pasting the rule.
  • To edit a row in the table, select the check box for the row, then click Edit.

The Firewall Rule page appears.

  • To view all firewall rules tables (mandatory and default) from Global down to the current scope, click View All.

A page appears from which you can print the tables.

Note    You can right-click in the table to select the buttons shown at the bottom of the table. This simulates the act of clicking the button.

Step 4   Verify that the Enable rule check box is selected.

Step 5   To permit or deny traffic for the rule being defined, click the appropriate radio button.

Step 6   Enter the source address(es) or click Select to open a window to display a list of defined objects.

a. Select the available object(s), then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the Firewall Rule page.

Step 7   Enter the destination address(es) or click Select to open a window that displays a list of defined objects.

a. Select the available object(s), then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the Firewall Rule page.

Step 8   To enter the services, click Select, which opens a window to display a list of services.

a. Select the available service(s), then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the Firewall Rule page.

Step 9   Select the source interface from the list. The list contains all interfaces defined at the current scope.

Step 10   Select the logging level from the list.

Step 11   Enter the logging interval.

Step 12   Select the category from the list. The list contains all categories defined as building blocks.

Step 13   Enter an optional description.

Step 14   Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.




If you are using AAA authentication, you must also define the rule in the AAA Rules table and select the AAA control types that apply. See Inserting or Editing an AAA Rule.

If you are using web filtering, you must also define the rule in the Web Filter Rules table and determine whether to permit or deny traffic should the web server go down. See Inserting or Editing a Web Filter Rule.

Firewall Rule Field-Level Elements and Descriptions

Element  Description 

Enable rule check box

Enables access rules.

Note If you select the Enable rule check box when you are configuring a rule, the rule is shown as true in the rule table under the Enabled column.

Action

Describes what should occur based on conditions set. Options are:

  • Permit—Allows traffic.
  • Deny—Denies traffic.

Source Address(es)

Source network object1 name(s) or address(es) of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Destination Address(es)

Destination network object1 name(s) or address(es) of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Service(s)

Name of one or more service definitions2 identified for the rule being defined. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Source Interface

Name of interface to which the generated ACL is assigned. Options are:

  • Inside—Connects to your internal network.
  • Outside—Connects to an external network or public Internet.

Syslog Level

Type of syslog used to log events for an ACE.

Note If you are configuring a rule, the logging level you select is displayed in the rule table under the Syslog Level column.

Logging Level list

Enables syslog for an ACE. Options are:

  • Default (level 6).3—The ACL logging behavior prior to PIX 6.3 is restored, (for example, if a packet is denied, message 106023 is generated.
  • Emergencies (level 0)—System unusable. Generates messages that identify system instabilities.
  • Alerts (level 1)—Immediate action needed. Generates messages that identify system integrity issues that require immediate administrative action.
  • Critical (level 2)—Critical condition. Generates messages that identify critical system issues.
  • Errors (level 3)—Error condition. Generates messages that identify system errors during operation.
  • Warnings (level 4)—Warning condition. Generates messages that identify system warnings, for example, device might be configured incorrectly.
  • Notifications (level 5)—Normal but significant condition. Generates messages that identify normal operations that are typically considered significant events.
  • Informational (level 6)—Informational message only. Generates messages that identify system information that is typical of day-to-day activity, such as network session records.

Note This setting directly affects the level of reports you can generate about network activity for this firewall device. We recommend that you select Informational to ensure that all report data is available.

Logging Level list (cont)
  • Debugging (level 7)—Appears during debugging only. Generates messages that assist you in debugging. Also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions.
  • Disabled—No logging.3

Note If you are configuring a rule, the logging level you select is displayed in the rule table under the Syslog Level column.

Logging Interval

Interval of time, in seconds, used to generate logging messages. Default is 300 seconds. You must select a logging level from the list for the logging interval value to be recognized. If you selected Disabled or Default as your logging level, this field is grayed-out.

Note If you select Default as the logging level, the default logging interval value is used.

Category4

Element defined in Building Blocks to provide an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks.

Description

Optional user-defined description that identifies the access rule.
Network objects are defined in Building Blocks. Select Configuration > Building Blocks > Network Objects. See Defining Network Objects.

Services are defined in Building Blocks. Select Configuration > Building Blocks > Service Definitions. See Defining Service Definitions.

Selecting this option causes the Logging Interval to be grayed-out.

Categories are defined in Building Blocks. Select Configuration > Building Blocks > Categories. See Using Categories and Color-Coding.

Inserting or Editing an AAA Rule

Note   Use the same procedure to configure mandatory and default AAA rules for all scopes.
Before You Begin
  • Recommended but not required: Define a network object identifying each host or server for which a rule applies. To do this, select Configuration > Building Blocks > Network Objects.
  • Before defining rules that use AAA, you must identify the AAA server. To do this, select Configuration > Building Blocks > AAA Server Group.
Step 1   Select Configuration > Access Rules > AAA Rules > [Mandatory or Default] (for example, Configuration > Access Rules > AAA Rules > Mandatory).

The AAA Rules page appears.

Step 2   Using the Object Selector, select the scope (if not already selected) to identify the device or device group to which the rules will apply.

Note    The Object bar displays the last scope that was selected under the Configuration tab.

Step 3   Do one of the following:

  • To insert the first row in the table, then click Insert.

The AAA Rule page appears.

  • To add another row in the table, select the check box for the row after which to add a new table row, then click Insert.

The AAA Rule page appears.

  • To paste a row in the table that has been cut or copied to the clipboard, select the row in the table after which to add a new table row, then click Paste.
Note    Because rules are applied to an interface, you must make sure the interface specified in a rule exists on the device to which you are pasting the rule.
  • To edit a row in the table, select the check box for the row, then click Edit.

The AAA Rule page appears.

  • To view all AAA rules tables (mandatory and default) from Global down to the current scope, click View All.

A page appears from which you can print the table.

Note    You can right-click in the table to select the buttons shown at the bottom of the table. This simulates the act of clicking the button.

Step 4   Select the Enable rule check box.

Step 5   To permit or deny an action for the rule being defined, click the appropriate radio button.

Step 6   Based on your selection in Step 5, select the authentication, authorization, or accounting check boxes to which the action applies.

Step 7   Enter the source address(es) or click Select, which opens a window to display a list of defined objects.

a. Select the available object(s), then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the AAA Rule page.

Step 8   Enter the destination addresses or click Select, which opens a window to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the AAA Rule page.

Step 9   Enter the services by clicking Select, which opens a window to display a list of services.

a. Select the available services, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the AAA Rule page.

Step 10   Select the source interface from the list. The list contains all interfaces defined at the current scope.

Step 11   Select the AAA server group from the list.

Note    AAA server groups are user-defined. If you have not already done so, you can define a server group by selecting Configuration > Building Blocks > AAA Server Group.

Step 12   Enter an optional description in the field provided.

Step 13   Enter the category from the list.

Step 14   Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.




If you defined AAA rules to permit FTP, HTTP, or Telnet services, you must enable FTP, HTTP, or Telnet traffic to allow authentication to occur. To do this, select Configuration > Device Settings > Firewall Device Administration > AAA Admin Authentication.

AAA Rule Field-Level Elements and Descriptions

Element  Description 

Enable rule check box

Enables AAA rule.

If the Enable rule check box is selected when you are configuring a rule, the rule is shown as true in the rules table under the Enabled column.

Actions radio buttons and check boxes

Permits or denies traffic. Options are:

  • Authentication.
  • Authorization—Used for TACACS only.
  • Accounting.

If traffic is permitted, select the desired AAA control type using the corresponding check boxes.

If the action information is selected when you are configuring a rule, the results are displayed in the rules table under the Action column.

Source Address(es)

Source network object1 names or addresses of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Destination Address(es)

Destination network object1 names or addresses of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Service(s)

Name of one or more services2. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Source Interface

Name of interface to which the generated ACL is assigned. Options are:

  • Inside—Connects to your internal network.
  • Outside—Connects to an external network or public Internet.

Description

Optional user-defined description that identifies AAA rule.

AAA Server Group

AAA server groups defined in Building Blocks at current scope and above. Selected group is used to service corresponding AAA rules.

Category3

Element defined in Building Blocks to provide an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks.
Network objects are defined in Building Blocks. Select Configuration > Building Blocks > Network Objects. See Defining Network Objects.

Services are defined in Building Blocks. Select Configuration > Building Blocks > Service Definitions. See Defining Service Definitions.

Categories are defined in Building Blocks. Select Configuration > Building Blocks > Categories. See Using Categories and Color-Coding.

Inserting or Editing a Web Filter Rule

Note   Use the same procedure to configure mandatory and default Web filter rules for all scopes.
Before You Begin
  • Recommended but not required: Define a network object identifying each host or server for which a rule applies. To do this, select Configuration > Building Blocks > Network Objects.
  • Before you can define rules that use Web filtering, you must identify the Web filter server definitions. To do this, select Configuration > Device Settings > Servers and Services > URL Filter Server.
Step 1   Select Configuration > Access Rules > Web Filter Rules > [Mandatory or Default] (for example, Configuration > Access Rules > Web Filter Rules > Mandatory).

The Web Filter Rules page appears.

Step 2   Using the Object Selector, select the scope (if not already selected) to identify the device or device groups to which the rules will apply.

Note    The Object bar displays the last scope that was selected under the Configuration tab.

Step 3   Do one of the following:

  • To insert the first row in the table, click Insert.

The Web Filter Rule page appears.

  • To add another row in the table, select the check box for the row after which to add a new table row, then click Insert.

The Web Filter Rule page appears.

  • To paste a row in the table that has been cut or copied to the clipboard, select the row in the table after which to add a new table row, then click Paste.
Note    Because rules are applied to an interface, you must make sure the interface specified in a rule exists on the device to which you are pasting the rule.
  • To edit a row in the table, select the check box for the row, then click Edit.

The Web Filter Rule page appears.

  • To view all Web Filter Rules tables (mandatory and default) from Global down to the current scope, click View All.

A page appears from which you can print the table.

Note    You can right-click in the table to select the buttons shown at the bottom of the table. This simulates the act of clicking the button.

Step 4   Select the Enable rule check box.

Step 5   Enter the source address(es) or click Select, which opens a window to display a list of defined objects.

a. Select the available object(s), then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the Web Filter Rule page.

Step 6   Enter the destination address(es) or click Select, which opens a window to display a list of defined objects.

a. Select the available object(s), then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the Web Filter Rule page.

Step 7   Enter the services by clicking Select, which opens a window to display a list of services.

a. Select the available services, then click Select =>. The service selected must be a TCP service and cannot contain a port range.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the Web Filter Rule page.

Step 8   Enter an optional description.

Step 9   Select a category from the list.

Step 10   To permit or deny traffic if the filter server is unavailable, click the respective radio button.

Step 11   Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.




Filter Rule Field-Level Elements and Descriptions

Element  Description 

Enable rule check box

When you are configuring a rule, enables the filter rule. When enabled, set to true when you view the Firewall Rule table and filter summary page.

Action

Displays the action of the rules listed in the rules table. The action for Web filter rules is Filter URL.

Source Address(es)

Allows you to enter source network object1 name(s) or address(es) of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Destination Address(es)

Allows you to enter destination network object1 name(s) or address(es) of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Service(s)

Allows you to enter the name of one or more services2. The service selected must be a TCP service and cannot contain a port range. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Description

Optional user-defined comment that identifies access rule.

Category3
  • Element defined in Building Blocks to provide an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks.

Allow traffic if filter server unavailable
  • Select Yes to allow traffic when web server fails. Shown as "Allow traffic" when you view the Filter Rule table and set to true when you view the filter rule summary page.
  • Select No to disallow traffic when web server fails. Shown as "Do not allow traffic" when you view the Filter Rule table and set to false when you view the filter rule summary page.

When the permit or deny action is selected when you are configuring a rule, the selected action is shown in the rules table under the If filter server unavailable column.
Network objects are defined in Building Blocks. Select Configuration > Building Blocks > Network Objects. See Defining Network Objects.

Services are defined in Building Blocks. Select Configuration > Building Blocks > Service Definitions. See Defining Service Definitions.

Categories are defined in Building Blocks. Select Configuration > Building Blocks > Categories. See Using Categories and Color-Coding.

Cutting, Copying, or Pasting an Access Rule

When configuring access rules tables, you might be able to use shortcuts to help you define your access rules tables:

  • Cut allows you to cut a rule from the table.
  • Copy allows you to copy a rule in the table and paste it elsewhere.
  • Paste allows you to paste a rule that was copied or cut from a table.
Note
  • Because rules are applied to an interface, you must make sure the interface specified in a rule exists on the device to which you are pasting the rule. If the interface is not found on the device, an error results when the device configuration is generated.
  • You cannot paste a rule before or after a rule created from an outbound rule. Outbound rules are sorted in the order that a firewall device applies them to traffic.



Step 1   Select Configuration > Access Rules > (Rules type) > [Mandatory or Default] (for example, Configuration > Access Rules > Firewall Rules > Mandatory).

The access rules table for the selected rules type appears.

Step 2   Using the Object Selector, select the scope (if not already selected) for the device or device groups to which the rules will apply.

Note    The Object bar displays the last scope that was selected under the Configuration tab.

Step 3   Do one of the following:

  • To copy a row in the table, select the check box for the row, then click Copy.
  • To cut a row in the table, select the check box for the row, then click Cut.
  • To paste a row in the table, select the check box for the row after which to paste the rule, then click Paste.
  • To view all rules tables (mandatory and default) for a single access rule type from Global down to the current scope, click View All.

A page appears from which you can print the table.

Note    You can right-click in the table to select the buttons shown at the bottom of the table. This simulates the act of clicking the button.



Deleting an Access Rule

Step 1   Select Configuration > Access Rules > (Rules type) > [Mandatory or Default] (for example, Configuration > Access Rules > Firewall Rules > Mandatory).

The access rules table for the selected rules type appears.

Step 2   Using the Object Selector, select the scope to identify the device or device groups to which the rules will apply.

Note    The Object bar displays the last scope that was selected under the Configuration tab.

Step 3   Select the check box for the row in the table, then click Delete.

You are prompted to confirm the delete request.

Step 4   Click Yes.

The row is removed from the table.




Optimizing Your Policy Rules and Performance

Topics for discussion include:

Using Group Discovery

Group Discovery is a feature that is accessed from the access rule tables, whereby an algorithm identifies rules that can be grouped together. The algorithm analyzes the mandatory or default rules at the current scope. You must select at least one rule on which to perform the algorithm. To access this feature, click Discover Groups, which is located at the bottom of the rule tables.

The results are displayed in a popup window that displays the discovered network, service groups, and their contents. It also lists the original number of rules and the new number of rules if the changes are accepted. You have the option to continue with the replacement of rules or cancel the request. If you choose to continue, the access rule table is updated to display the new rule information.

As a result of Group Discovery, new building blocks can be created to represent the discovered groups. Firewall MC reuses existing building blocks if it finds them. Otherwise it will create its own service groups and network objects. The newly created groups will have the names MC-SGroup (for a service group) and MC-NGroup (for a network object). After you accept the changes, you can rename the groups.

Tip You can create building blocks before performing Group Discovery. Firewall MC will use the building blocks if they are a good match.

The rules in the access rule table are rewritten to refer to the building blocks instead of the original addresses (or smaller building blocks). The resulting list of rules is shortened, making the rules in the table more manageable.

Note   Functionally, Group Discovery is equivalent to defining new building blocks, creating new rules to reference the building blocks, then deleting the old rules.

An access list command can refer to five possible groups: source network, destination network, protocol, source service ports, and destination service, which can be service ports or ICMP types. A command must have a source network or group and a destination network or group.

  • For source network, destination network, and protocol, the command can refer to a group or an individual item.
  • For source service ports and destination service, the command can refer to a group, an individual item, or not be used.
    • Note   During conversion, the networks are converted first, followed by services.

An access rule can apply to the following types of objects:

  • Client host—Makes HTTP, Telnet, FTP, Voice over IP, and other service requests.
  • Server host—Responds to service requests.
  • Service type—Services are assigned to well-known, dynamically assigned, or secondary channel TCP or UDP ports.
  • Subnet—The network address of internal or external subnetworks where server or client hosts are located.
  • ICMP types—Such as ECHO-REPLY.

An access rule allows or denies traffic matching a specific combination of these objects. For example, an access rule might cause the PIX Firewall to allow a designated client to access a particular server host for a specific service. When there is only one client, one host, and one service, only one access rule is needed. However, as the number of clients, servers, and services increases, the number of rules required might increase exponentially.

Object Grouping provides a way to group objects of a similar type so that a single access rule can apply to all objects in the group. For example, consider the following three object groups:

  • My Services—Includes the TCP/UDP port numbers of the service requests that are allowed access to the internal network.
  • Trusted Hosts—Includes the host and network addresses allowed access to the greatest range of services and servers.
  • Public Servers—Includes the host addresses of servers to which the greatest access is provided.

After creating these groups, you can use a single access rule to allow trusted hosts to make specific service requests to a group of public servers. Object groups can also contain other object groups or be contained by other object groups.

Object Grouping dramatically compresses the number of access rules required to implement a particular security policy. For example, a customer policy that required 3,300 access rules might only require 40 rules after hosts and services are properly grouped.

To achieve this, multi-dimensional sorting is performed. For example:

1. Policies are sorted by their sources, so policies with the same source are placed together.

2. Same-source policies are sorted by destination, so policies with the same source and destination are placed together.

3. Same-source and same-destination policies are combined into a single policy, and the services are combined into an object group.

4. Adjacent policies are checked to see if they have the same source and service. If so, they are combined into a single policy, and the destinations are combined into an object group.

5. Adjacent policies are checked to see if they have the same destination and service. If so, they are combined into a single policy, and the sources are combined into an object group.

Sorting is repeated based on destination and service in place of source.

For example, you might have two rules:

Rule 1: Src:1.1.1.1 Dst:2.2.2.2 Svc:CMD Interface:inside Action:Permit

Rule 2: Src:1.1.1.1 Dst:3.3.3.3 Svc:CMD Interface:inside Action Permit

The two rules can be combined to form a new rule:

New Rule: Src:1.1.1.1 Dst:MC-NGroup1234 Svc:CMD Interface:inside Action:Permit

Where MC-NGroup1234 contains Dst 2.2.2.2 and 3.3.3.3.

Each object in the source domain must have a unique name so that policies can be sorted alphabetically. The same requirement is true for destinations and services. Sorting can also be based on IP addresses or port numbers.

Note   For versions of PIX Firewalls that do not support object grouping, the groups are always lost on generation and cannot exist on import.

Using Turbo ACLs

An access list typically consists of multiple access list entries, organized internally by a PIX Firewall as a linked list. When a packet is subjected to access list control, the PIX Firewall searches this linked list linearly to find a matching element. The matching element is then examined to determine if the packet is to be transmitted or dropped. With a linear search, the average search time increases proportional to the size of the list.

The Turbo ACLs feature is designed to improve the average search time of access control lists containing a large number of entries. The Turbo ACL feature causes the PIX Firewall to compile tables for ACLs, which improves the searching of long ACLs.

When Firewall MC deploys the Turbo ACL commands to the firewall device, Firewall MC cannot detect if the ACLs were compiled successfully. If the ACLs were not compiled successfully, the firewall device turns off the Turbo ACL feature. You can turn the Turbo ACLs feature on or off at the global level. To access this feature, select Configuration > Device Settings > Advanced Security > Turbo ACLs.

The Turbo ACLs feature requires significant amounts of memory and is most appropriate for high-end PIX Firewall models, such as the PIX 525 or PIX 535. The minimum memory required for Turbo ACLs is 2.1 MB and approximately 1 MB of memory is required for every 2,000 ACL elements.

Note   Firewall MC currently does not support Turbo ACLs per ACL.

Enabling Turbo ACLs

Step 1   Select Configuration > Device Settings > Advanced Security > Turbo ACLs.

The Turbo ACLs page appears.

Step 2   Select the Enable Turbo Access Rules Searches check box to speed up the processing of large access rules.

Note    This feature requires a minimum of 2.1 MB of memory for the device. Additional memory might be required.

Step 3   Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to firewall devices at deployment. See "Managing Activities."




Turbo ACLs Field-Level Elements and Descriptions

Element  Description 

Inherit settings check box

When selected, the subgroup or device(s) inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. (See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroup(s) and device(s). Mandatory settings cannot be changed by a subgroup or device. (See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enable Turbo Access Rule Searches check box

Speeds up processing of large access rules tables.

Note If you enable Turbo Access Rule Searches, additional memory might be required for the device.