Object Groups in the ASA/FWSM/PIX

I can’t believe I haven’t talked about object-groups yet.  I had a whole other blog entry written up, and, when I went to link things over, I realized I couldn’t find an intro to it.  Here it goes.

Welcome to the modern world.  A world of wonder.  A world of quickly-advancing technology.  A world where clusters of machines sit behind load balancers for scalability and availability.  A world where those clusters need access to other clusters.  A world where your firewall rulebase gets so big that it’s unreadable without some help.

Enough with the drama already.  I would say I hate the cheesy stuff, but I think my whole blog is nothing but cheesy stuff, right?  To the point.  Enterprise firewall configurations can get quite large with ACLs applied in different directions to different interfaces.  Our ACL entries number in the 6000 range, but the firewall we’re running says we’re only at 5% utilization in the ACLE memory space. That means that our not-top-of-the-line firewall is designed to handle 120k lines of ACLs.  That can be quite a handful to configure by hand.  There may be an easier-to-maintain solution, though.

Let’s say you have a cluster of servers behind your CSM that all need to access a database.   Since there’s a nice ASA, FWSM, or PIX between the servers and database (as there should be), you have to open up access for this connection.  Let’s say that you have four servers with the IPs of that need access to on the mySQL port (TCP/3306).

Where are your remarks?  Why don’t you document something for once in your life?

Anyway, that’s easy, right.  Four configuation lines isn’t so bad, but some of the server admins come to you one day and tell you that the company actually marketed the new web app and that tey are adding 37 more servers to the cluster.  Now the 37 new servers need the same rules, right?  The server dudes also tell you that, since the app has grown so much, the DBAs have set up a split-read-write scenario where the current database handles the reads and a new database handles the writes.  That’s 78 new rules (37 to the old and 41 for the new).  That’s a lot of rules.

Object-groups to the rescue.  An object-group is a logical group of objects (duh!) that you can use to create ACLEs.  You can create a group of hosts, a group of network, or a group of ports.  For our example, let’s create an object-group that includes all the hosts in the new huge cluster.

What do we do with it, though?  You treat it (almost) just like it was a host in an ACL.  Remember we wanted to open access to the old database on TCP/3306, right?

If you do a show access-list LIST1 now, you’ll see that a new rules has been added for each object in the object-group.  It should look something like this.

Notice that the firewall created 41 rules for you out of your one configured line, but now the rules are indented. The indention means that the rules is generated automagically instead of by hand. Since you can only take out rules that you put in by hand, so you can’t take out the line allowing access; it’s an all-or-nothing scenario.  Be aware of that.

You can use object-group for ports, too.  Let’s add to our example and say that the cluster will need to access the memcached instance on the database server as well.  Those processes run on TCP ports 15000 – 15100.

First we build an object-group for the ports we need.

Now let’s apply it to the ACL.

What does the ACL look like now?  Well, it’s a Duesenberg.

That’s a lot of ACL entries for one configuration line, isn’t it? Let’s see. 102 ports times 41 servers is 4182 lines in the ACL. You can see how might be to your advantage to use object-groups at times.

Send any candy corn questions my way.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages.

More Posts

Follow Me:

6 comments for “Object Groups in the ASA/FWSM/PIX

  1. Runon
    October 1, 2009 at 6:55 pm

    Good tips, thanks. Doubly so since I plan to get the CCSP next month.

    One problem I see with this sort of thing is the potential for misconfiguration. As a long time CCNP, I know the appeal of the CLI but a GUI is essential for ACLs of such sizes imho. The complexity here could spiral out of control quite easily and the potential for mistakes. I’m not going to even mention troubleshooting related to objects and rule base errors.

    Having worked to with checkpoints of 200-300 rules, I can’t imagine how many lines of ACL they would make. We are not machines, we should use GUIs for this kind of thing and not try to compete with data crunching.

    Sorry to have gone off on a tangent, just thinking out loud 🙂

  2. October 1, 2009 at 8:20 pm

    We are definitely not machine, Runon, but I don’t think a GUI makes it any harder to make mistakes. Just today, while I was configuring a rule in a Checkpoint of ours, I noticed that somebody had misconfigured an object. It took a while to figure out, and I would actually argue that I would have seen it quicker if I could have seen the config versus looking at an icon with a name.

    It’s probably a wash in the end, though. To each his own, I guess.

    Good luck on the CCSP.

  3. IPv6Freely
    November 21, 2009 at 2:35 am

    runon: Oh hells no. GUI in this case would be an awful solution. Maybe in checkpoint-land it would be necessary, but with Cisco, CLI is the way to go.

  4. Jimmy Mc
    May 16, 2013 at 7:08 am

    best object group tut i have read so far nice and simple

Leave a Reply

Your email address will not be published. Required fields are marked *