Filter
Top Products
16-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Using Automatic Conflict Detection
network-object 10.2.1.1 255.255.255.255
• Redundant Rule—Two rules apply the same action to the same type of traffic, and removing the base
rule would not change the ultimate result. For example, if a rule permitting FTP traffic for a
particular network were followed by a rule allowing IP traffic for that same network, and there were
no rules in between denying access, then the first rule is redundant and can be deleted.
The following is a simple example of redundant rules:
access-list acl permit ip 2.1.1.1 255.255.255.255 any
access-list acl permit ip 2.1.1.0 255.255.255.0 any
• Partially Redundant Rule—A portion of a compound rule is redundant to a rule or a portion of a
compound rule that follows it.
• Shadowed Rule—This is the reverse of a redundant rule. In this case, one rule will match the same
traffic as another rule such that the second rule will never be applied to any traffic because it comes
later in the access list. If the action for both rules are the same, you can delete the shadowed rule. If
the two rules specify different actions for traffic, you might need to move the shadowed rule or edit
one of the two rules to implement your desired policy. For example, the base rule might deny IP
traffic, and the shadowed rule might permit FTP traffic, for a given source or destination.
The following is a simple example of shadowed rules:
access-list acl permit ip 1.0.0.0 255.0.0.0 any
access-list acl permit ip 1.1.0.0 255.255.0.0 any
Note Duplicate rules are reported as shadowed rules by the automatic conflict detection feature.
• Partially Shadowed Rule—A portion of a compound rule is shadowed by a rule before it. If the
action for both rules are the same, you can delete the portion of the rule that is shadowed. If the two
rules specify different actions for traffic, you might need to move the shadowed rule or edit one of
the two rules to implement your desired policy.
Scope of Automatic Conflict Detection
When detecting conflicts, Security Manager evaluates the following pieces of information in your access
rules:
• source
• destination
• services
• users
• interfaces
Note Conflict detection is only available for access rules in the Access Rules policy for a device or shared
policy. Conflict detection is not available for access rules that are part of other policies, such as AAA or
inspection rules.