Optimize Your ASA Policies Before You Migrate

Now that you have all your ASAs onboarded, start using CDO to identify and correct problems with network objects, optimize your existing policies, review your VPN connections, and upgrade your ASAs to the newest releases.

Resolve Network Object Issues

Start to optimize the security policies on your ASAs by resolving issues with network policy objects.

  • Unused objects—CDO identifies network policy objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Find these unused objects and delete them.

  • Duplicate objects—Duplicate objects are two or more objects on the same device with different names but the same values. These objects are usually created accidentally, serve similar purposes, and are used by different policies. Look for opportunities to standardize names while recognizing that some duplicates may exist for legitimate reasons.

  • Inconsistent objects—Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Consider standardizing the values in these objects or renaming one to identify it as a different object.

Fix Shadow Rules

Now that you have resolved your network object issues, review network policies for shadow rules and fix them. A shadow rule is marked by a half-moon badge on the network policies page. It is a rule in a policy that will never trigger because a rule with higher priority in the policy acts on all the packets before they reach the shadowed rule. If there is a shadowed rule that will never be hit, remove it, or edit the policy to bring that rule "into the light."