16-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter16 Managing Firewall Access Rules
Using Automatic Conflict Detection
Using Automatic Conflict Detection
Security Manager provides an Automatic Conflict Detection feature for access rules. You can use
Automatic Conflict Detection to evaluate the logic of your access rules. When enabled, Automatic
Conflict Detection identifies rules that overlap or conflict with other rules in the acce ss rule policy. Use
this information to identify rules that need to be deleted, moved, or edited.
This section contains the following topics:
Understanding Automatic Conflict Detection, page 16-25
Understanding the Automatic Conflict Detection User Interface, page 16-27
Resolving Conflicts, page 16-31

Understanding Automatic Conflict Detection

Security Manager provides an automatic conflict detection feature to help identify unnecessary
redundant or duplicate rules. Certain conflicting rules might have no effect on a device after they are
deployed; however, they create unnecessary clusters in the rules table. By detecting these rules, you can
clean up the rule set to develop an easier to use and more efficient access rules policy.
Other conflicting rules, can create unwanted results to your network. By detecting these conflicting
rules, you can identify rules that need to be deleted, moved, or edited to implement your security needs
as intended.
Note The conflict detection feature will report on the first conflict between two rules. If there are additional
rules in the table that also conflict with a rule, they will not be reported until the first conflict is resolved.
Conflicts detected by Security Manager are categorized in the following way:
Redundant Object—An element in a field of a rule is a subset of one or more elements in the same
field of the rule. In the following example, the source cell has two network objects: net-group2 and
net-group1. Since net-group2 is a sub-set of net-group1, it is a redundant object and can safely be
removed:
object-group network net-group1
network-object 10.2.0.0 255.255.0.0
object-group network net-group2
Enable Access List
Compilation (PIX 6.x)
(not presented on the IPv6
Access Control page)
Whether to compile access lists on this interface for PIX 6.x devices.
This setting overrides the equivalent global setting that you configure
on the Access Control Settings page.
ACL compilation speeds the processing of large rules tables and
optimizes your policy rules and performance for the interface. An ACL
is compiled only if the number of access list elements is greater than or
equal to 19. The maximum recommended number of entries is 16,000.
To compile access lists, the device must have a minimum of 2.1 MB of
memory.
Table16-6 Firewall ACL Setting Dialog Box (Continued)
Element Description