16-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Understanding Access Rules
Tips
Because you can use network/host objects to identify a source or destination, and you can configure
deployment optimization for rules, there is not always a one-to-one relationship between an access
rule and ACEs in the CLI definition of an ACL.
All access lists created from firewall rules are extended access lists (rather than standard). Security
Manager applies a system-generated name to the ACL unless you specify a name for the ACL on the
Access Control Settings Page, page 16-21. The name applies to the ACL that includes all of the rules
related to the interface and direction for which the name is defined.
There are several deployment options that control how object groups are deployed. This topic
describes the default behavior. On the Deployment Page, page11-9 (select Tools > Security
Manager Administration > Deployment), you can deselect the option to create object groups from
network/host objects. You can also optimize object groups during deployment (see Optimizing
Network Object Groups When Deploying Firewall Rules, page12-35), create new object groups
from rules with multiple services or source and destination addresses, or remove unused object
groups.
The deployment options also include settings that control the names of ACLs generated from access
rules and how many ACLs are created. By default, Security Manager creates a unique ACL for each
interface, even if this means that several duplicate ACLs are created.
If you select Enable ACL Sharing for Firewall Rules, Security Manager can create a single ACL
and apply it to multiple interfaces, thus avoiding the creation of unnecessary duplicate ACLs.
However, ACL sharing occurs only if it can be done while preserving your ACL naming
requirements:
If you specify an ACL name for an interface and direction, that name is always used, even if it
means a duplicate ACL must be created. For more information, see Configuring Settings for
Access Control, page 16-20.
If you select Reuse existing names for the Firewall Access-List Names property, the existing
names are preserved (unless you override them in the access control settings policy). This means
that you might end up with duplicate ACLs under different names if duplicate ACLs already
exist on the device.
Tip: To maximize ACL sharing, ensure that you select Reset to CS-Manager Generated Names
for the Firewall Access-List Names property, select Speed for the Optimize the Deployment of
Access Rules For property, and that you do not configure ACL names in the access control settings
policy.
For more detailed information about the Enable ACL Sharing for Firewall Rules property, see
Deployment Page, page 11-9.
IPv4 and IPv6 ACLs cannot have the same name.
Related Topics
Understanding Access Rules, page 16-1
Configuring Access Rules, page 16-7
Configuring Settings for Access Control, page 16-20
Expanding Object Groups During Discovery, page 12-35