Analyzing Rule Conflicts and Warnings

You can view warnings and information about rule conflicts to examine the logic of your access control policy and to identify rules that need changes. When rules overlap, you can end up with unnecessary rules in the policy, and these rules will never be matched to traffic. The analysis can help you delete unnecessary rules, or identify rules that should be moved or modified so they enforce the desired policy.

Policy warnings and errors point out things that you should understand and perhaps address to ensure that your rules provide the desired services.

Rule conflict analysis identifies the following types of problem:

Object Overlap—An element in a field of a rule is a subset of one or more elements in the same field of the rule. For example, the source field might include a network object for 10.1.1.0/24, and another object for the host 10.1.1.1. Because 10.1.1.1 is within the network covered by 10.1.1.0/24, the object for 10.1.1.1 is redundant and can be deleted, simplifying the rule and saving device memory.
Redundant Rule—Two rules apply the same action to the same type of traffic and removing the base rule would not change the ultimate result. For example, if a rule permitting FTP traffic for a particular network were followed by a rule allowing IP traffic for that same network, and there were no rules in between denying access, then the first rule is redundant and you can delete it.
Shadowed Rule—This is the reverse of a redundant rule. In this case, one rule will match the same traffic as another rule such that the second rule will never be applied to any traffic because it comes later in the access list. If the action for both rules is the same, you can delete the shadowed rule. If the two rules specify different actions for traffic, you might need to move the shadowed rule or edit one of the two rules to implement your desired policy. For example, the base rule might deny IP traffic, and the shadowed rule might permit FTP traffic, for a given source or destination.

Before you begin

When doing the analysis:

Only the first conflict for a given rule is identified. Once you fix the problem, the rule might be identified as having a conflict with another rule in the table. However, a rule might have multiple warnings or errors.
Rule conflict analysis considers source/destination security zone, network, VLAN, and service/port match conditions and action only. It does not consider other match criteria, so an apparently redundant rule might not be completely redundant.
FQDN network objects cannot be analyzed for conflict, because the IP address of an FQDN cannot be known prior to DNS lookup.
Disabled rules are ignored.
Time range attributes are ignored. Rules for different time periods might be marked as redundant when they are not actually redundant for the time ranges.
Icons for warnings and errors, and rule conflicts when you enable the feature, are shown in the rules table. For a reference to the icons, see Rule and Other Policy Warnings.

Procedure

Step 1	Choose Policy > Access Control and edit an access control policy.
Step 2	Do one of the following to open the rule conflicts and warnings dialog box: To view rule conflicts, click the Analyze drop-down and click Enable Rule Conflicts. When the analysis completes, you see a summary of the conflicts at the top of the page. Then, click Show Rule Conflicts from the same menu to see the specific results. You must re-enable rule conflict detection each time you open the policy or make a change and save the policy. To view rule warnings and errors, click Analyze > Show Warnings. After you make a change to the policy, you can refresh the results by clicking the reload icon next to the Analyze button. To view policy warnings, click Analyze > Show Policy Warnings. If you are finished viewing rule conflicts, click Analyze > Disable Rule Conflicts.
Step 3	In the rule conflicts and warnings dialog box: Warnings and Errors are shown on a separate tab from Rule Conflicts. Each tab contains sub-tabs to let you examine individual types of problems, such as redundant vs. shadowed or warnings vs. errors. You can also search for an item. More () next to each rule name provides shortcuts to edit, disable, or delete the rule.
Step 4	Click Close when finished.