You should *never* translate your CP rules directly to ISA policies. Yes, it's simple and yes, it's often effective, but FSM, it's un-freakin'-manageable! Even with the network you describe, I'll bet with a little time & effort you could reduce the rule set to a couple hundred at most, even without AD groups. Ex: MS operates an "ISP-like thingy" for employees, where they can operate their own web, mail, media, etc. services. I recently helped them migrate their firewall from a CP (their "OLD" net admin finally left) to ISA 2006 and we took a 200+ rule set down to 15, and even then, there are several I still think they don't need. They kept many of them because they just weren't sure what was needed yet. Let's just say his documentation wasn't all that spiffy. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Tuesday, May 15, 2007 10:16 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names OK maybe I exaggerate a little but it is in the thousands. Its actually a cp setup which could one day move to isa if we feel like a driving a hole through our head. we have 12 offices, each one of them with their own requirements, most of them running multiple DMZ's with tens of machines in each exposing web stuff, interoffice rules (despite steves suggestion of an allow all rule). Then there are multiple guest wireless LANs in most sites, lab networks, one site alone has 8 supernetted subnets. The rulebase has the entire cp mesh in it, all 12 firewalls. And then there's is all the clients rules we have too generally for support. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, 16 May 2007 12:33 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names 4000 rules is absurd. Someone isn't paying attention to what they're creating. I'll bet Steve's next lovin' that these could be reduced to less than 1/10 of their current quantity, given a proper review... -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Tuesday, May 15, 2007 3:56 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names OK...list them all...:P From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Tuesday, May 15, 2007 7:54 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names Indeed and I wouldn't even consider that large..compared to other larger businesses From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Wednesday, 16 May 2007 8:49 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names 4000 rules....lol From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Tuesday, May 15, 2007 7:37 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names I guess it kind of is but I still think of it as a potential improvement to the overall we display rules, but that's great to know Jim I look forward to it! From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, 15 May 2007 11:03 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names Maybe I'm listening with the wrong eye, but this sounds like two different questions? "What naming convention works for you?" is a bit different than "I want to find out what rules apply to <blah>"... As far as rule names, keep it short, but clear. This way, it makes sense on first glance. Details should be in the "Description" field. We're working on a "rule-alyzer" that should make Greg (and many others) happy, but no firm release date yet. From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Tuesday, May 15, 2007 3:55 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Rule Names Jason I have been waiting for an easier way to handle large rulesets in ISA for a few releases now. Im praying 2008 holds the key. I would like the filtering or sorting of rules to be a little better so I can find what I am looking for without having to go through 4000 rules to find what im looking for. I generally try to give as concise a name but whilst still providing me the info of what the rule does without having to open it up. I'd also like to know how other places do it. Ive seen it work in "dare I say it" checkpoint and there rule filtering is great! Tom, Jim, im sure you cant say but will there be any improvements/changes on this front in 2008. A nod or a wink will suffice! Greg From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Tuesday, 15 May 2007 8:07 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] ISA Rule Names Hi All, Quick off the wall question... I was wondering if any of you use some form of system for naming ISA rules. As you can imagine, in a complex environment it is often quite easy to get to a large number of rules and hence the actual rules name become more important to understating which rule does what . Up until now, I have always used quite wordy names like 'Allow Access from Exchange Frontend Servers to Exchange backend Servers' or similar. I have also used prefixes like 'Inbound:' or 'Outbound:' or 'Management:' to try and give a basic indicator to the rule purpose. Am I better having simple rule names (maybe based upon application or function?) and do all the wordy stuff in the rule description field??? Any comments or suggestions would be really welcome, especially from people who have used ISA with large rule sets, maybe for big company edge ISA firewall. How do MS do it for their edge ISAs?? I know it is not that important at the end of the day, but just curious for feedback... Thanks JJ All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.