Skip to main content

 

 

Cisco Defense Orchestrator

Shadowed Rules

A network policy with shadowed rules is one in which at least one rule in the policy will never trigger because a rule that precedes it prevents the packet from being evaluated by the shadowed rule.

For example, consider these network objects and network rules in the "example" network policy:

object network 02-50
 range 10.10.10.2 10.10.10.50
object network 02-100
 range 10.10.10.2 10.10.10.100

access-list example extended deny ip any4 object 02-50 
access-list example extended permit ip host 10.10.10.35 object 02-50 
access-list example extended permit ip any4 object 02-100 

No traffic is evaluated by this rule,
access-list example extended permit ip host 10.10.10.35 object 02-50
because the previous rule,
access-list example extended deny ip any4 object 02-50
denies any ipv4 address from reaching any address in the range 10.10.10.2 - 10.10.10.50.

 

Find Network Policies with Shadowed Rules

To find network policies with shadowed rules, use the network policies filter:

  1. Open the Network Policies page.
  2. Click Policy Issues if CDO indicates that there are policy issues.
  3. Click Shadowed to view all the policies with shadowed rules. 

policy_issue_shadow.png

 

Resolve Issues with Shadowed Rules

This is how CDO displays the rules described in the "example" network policy above:

example_policy_shadow.png

The rule on line 1 is marked with a shadow warning badge shadow_warning.png because it's shadowing another rule in the policy. The rule on line 2 is marked as being shadowed shadow_badge.png by another rule in the policy. The action for the rule on line 2 is grayed-out because it's entirely shadowed by another rule in the policy. CDO is able to tell you which rule in the policy shadows the rule in line 2.

The rule on line 3 can only be triggered some of the time. This is a partially shadowed rule. Network traffic from any IPv4 address trying to reach an IP address in the range 10.10.10.2-10.10.10.50 would never be evaluated because it would have already been denied by the first rule. However, any IPv4 address attempting to reach an address in the range 10.10.10.51-10.10.10.100 would be evaluated by the last rule and would be permitted.

Caution: CDO does not apply a shadow warning badge shadow_warning.png to partially shadowed rules.

  1. Select the shadowed rule in the policy. In the example above, that means clicking on line 2.
  2. In the rule details pane, look for the Shadowed By area. In this example, the Shadowed By area for the rule in line 2 shows that it is being shadowed by the rule in line 1: 

shadow_details.png

  1. Review the shadowing rule. Is it too broad? Review the shadowed rule. Do you really need it? Edit the shadowing rule or delete the shadowed rule.

Note: By deleting shadowed rules, you reduce the number of access control entries (ACEs) on your ASA. This frees up space for the creation of other rules with other ACEs. CDO calculates the number of ACEs derived from all the rules in a network policy and displays that total at the top of the network policy details pane. If any of the rules in the network policy are shadowed, it also lists that number.

shadowed rule totals.png

CDO also displays the number of ACEs derived from a single rule in a network policy and displays that information in the network policy details pane. Here is an example of that listing:

ACE_details.png

  1. Determine which devices use the policy by looking in the Devices area of the network policy details pane. 
  2. Open the Devices & Service page and Write Changes back to the devices affected by the policy change.