16-44
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Optimizing Access Rules Automatically During Deployment
• Adjacent ACEs—Where two entries are similar enough that a single entry can do the same job.
There can be no intervening rules that change which packets will hit each rule. Consider the
following example:
access-list myacl permit ip 1.1.1.0 255.255.255.128 any
access-list myacl permit ip 1.1.1.128 255.255.255.128 any
The two ACEs are merged into one: access-list myacl permit ip 1.1.1.0 255.255.255.0 any.
By configuring ACL deployment optimization, you can create smaller ACLs that are more efficient,
which can improve performance on devices with limited, non-expandable memory, such as the FWSM,
which can be shared among multiple virtual contexts.
However, there are down sides to configuring ACL deployment optimization:
• Because optimization changes what would normally be deployed for your access rules, it is hard to
correlate those rules to the actual deployed ACEs. This can make the results of the hit count tool
unusable, and make it very difficult to correlate events in the Cisco Security Monitoring, Analysis
and Response System application. If it is important to you that you can monitor your access rules
using these tools, do not enable optimization. For more information, see Viewing Hit Count Details,
page 16-33 and Viewing CS-MARS Events for an Access Rule, page 69-28.
• Optimization does not address inherent problems in your access rules policy. It is typically better to
address redundancies and conflicts proactively by using the automatic conflict detection tool (see
Using Automatic Conflict Detection, page 16-25). You can also use the combine rules tool to
optimize your rules in the access rules policy before you deploy them (see Combining Rules,
page 12-22).
If you decide to configure ACL deployment optimization, consider enabling it only for those devices that
are memory constrained.
Step 1 Log into Windows on the Security Manager server.
Step 2 Use a text editor such as NotePad to open the C:\Program
Files\CSCOpx\MDC\athena\config\csm.properties file. Locate the optimization section and read the
instructions.
• To turn on full optimization for all devices, enter the following:
OPTIMIZE.*=full
• To turn on full optimization for a specific device, replace the asterisk with the Security Manager
display name for the device. For example, if the display name is west_coast.cisco.com, enter the
following:
OPTIMIZE.west_coast.cisco.com=full
• To turn on optimization but preserve the object groups used in the ACE, replace the full keyword
with preserve_og. For example:
OPTIMIZE.west_coast.cisco.com=preserve_og
• If you do not want to allow the merger of adjacent entries, enter the following:
AclOptimization.doMerge=false