12-35
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 2 Introduction to Firewall Services
Managing Your Rules Tables
Optimizing Network Object Groups When Deploying Firewall Rules
When you deploy firewall rules policies to an ASA, PIX, FWSM, or IOS 12.4(20)T+ device, you can
configure Security Manager to evaluate and optimize the network/host policy objects that you use in the
rules when it creates the associated network object groups on the device. Optimization merges adjacent
networks and removes redundant network entries. This reduces the runtime access list data structures
and the size of the configuration, which can be beneficial to some FWSM and PIX devices that are
memory-constrained.
For example, consider a network/host object named test that contains the following entries and that is
used in an access rule:
192.168.1.0/24
192.168.1.23
10.1.1.0
10.1.1.1
10.1.1.2/31
If you enable optimization, when you deploy the policy, the resulting object group configuration is
generated. Note that the description indicates the group was optimized:
object-group network test
description (Optimized by CS-Manager)
network-object 10.1.1.0 255.255.255.252
network-object 192.168.1.0 255.255.255.0
If you do not enable optimization, the group configuration would be as follows:
object-group network test
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.23 255.255.255.255
network-object 10.1.1.0 255.255.255.255
network-object 10.1.1.1 255.255.255.255
network-object 10.1.1.2 255.255.255.254
This optimization does not change the definition of the network/host object, nor does it create a new
network/host policy object. If you rediscover policies on the device, the existing unchanged policy object
is used.
Note If a network/host object contains another network/host object, the objects are not combined. Instead,
each network/host object is optimized separately. Also, Security Manager cannot optimize network/host
objects that use discontiguous subnet masks.
To configure optimization, select the Optimize Network Object-Groups During Deployment option
on the Deployment Page, page 11-9 (select Tools > Security Manager Administration and select
Deployment from the table of contents). The default is to not optimize network object groups during
deployment.
Expanding Object Groups During Discovery
When you discover policies from a device that uses object groups, you can elect to have those object
groups expanded into the items they contain rather than create policy objects from the group.