FMC Managing a cluster of Firewalls

Steve_etc — Mon, 20 Sep 2021 18:07:17 GMT

Hi All,

Looking for a little direction if possible.

We have four Firepower firewalls along an edge at different locations sharing an ACL policy and NAT policy on the FMC. So we make a change in the policy, it is pushed to all four Firewalls.

However, there are a handfull of rules that are specific to each Firewall only (and not the others). Say for example, each has it's own specific DMZ which aren't in the same zone/IG as the other firewall interfaces. Now, when I add those rules specific to only one Firewall into the policy and try to push the policy to all Firewalls, I get the "this policy references interface not applicable to this firewall" error (words to that effect) which makes total sense.

So what would be best practice in this instance? Ideally, I would like to be able to apply multiple policies to each Firewall...one policy all four firewall have, then a single policy for each of the firewalls containing only the 'locally significant' stuff, but that doesn't seem like a thing.

Any advice (such as read about xxxx) would be greatly appreaciated.

Thanks in advance

Steve

Re: FMC Managing a cluster of Firewalls

Marvin Rhoads — Tue, 21 Sep 2021 02:28:57 GMT

I believe you can do this by implementing Access Control Policies with the "Inheritance" feature. More details can be found here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/getting_started_with_access_control_policies.html#task_BE64105A65EF48818499392E831EC638

Re: FMC Managing a cluster of Firewalls

Steve_etc — Tue, 21 Sep 2021 06:56:26 GMT

Great, that looks like what I am after...Thank you for taking the time!

topic Re: FMC Managing a cluster of Firewalls in Network Security

FMC Managing a cluster of Firewalls

Re: FMC Managing a cluster of Firewalls

Re: FMC Managing a cluster of Firewalls