https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640946#M1091434 <P>For PBR, the Flexconfig policy references the ACL. so changing the ACL suffices to change the net behavior of the Flexconfig policy</P> Wed, 29 Jun 2022 16:07:15 GMT Marvin Rhoads 2022-06-29T16:07:15Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640664#M1091409 <P>Hi</P><P>&nbsp;</P><P>We have a cisco ftd configure via fmc.</P><P>We have a guest ADSL connection configured via Flexconfig PBR to route the guest subnet 10.10.251.0/24 to ADSL GW.</P><P>Now i have a requirement to exclude 2 ip addresses from the 251 range from the flexconfig PBR.</P><P>&nbsp;</P><P>Need assistance how i can achieve it.</P><P>&nbsp;</P> Wed, 29 Jun 2022 07:10:23 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640664#M1091409 shaikh.zaid22 2022-06-29T07:10:23Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640683#M1091412 <P>check this guide :&nbsp; ( remove related config related to IP subnet you looking to remove) so it used default route</P> <P>&nbsp;</P> <P><A href="https://integratingit.wordpress.com/2021/04/18/ftd-policy-based-routing/" target="_blank">https://integratingit.wordpress.com/2021/04/18/ftd-policy-based-routing/</A></P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217588-configure-pbr-with-ip-slas-for-dual-isp.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217588-configure-pbr-with-ip-slas-for-dual-isp.html</A></P> Wed, 29 Jun 2022 08:14:06 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640683#M1091412 balaji.bandi 2022-06-29T08:14:06Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640740#M1091420 <P>I am assuming you have an ACL that is matching on the traffic that is to be sent to the guest subnet?&nbsp; If so, then it is just a matter of adding deny statement at the top of that ACL for the two IPs you want to exclude and then deploy.</P> Wed, 29 Jun 2022 09:57:52 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640740#M1091420 Marius Gunnerud 2022-06-29T09:57:52Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640756#M1091421 <P>Hi Marius,</P><P>&nbsp;</P><P>You are correct, i have one subnet in one ACL that is called-in to the Flexconfig.</P><P>&nbsp;</P><P>From this same subnet i want to remove/axe two ip addresses to not get forwarded towards the ADSL GW.</P><P>&nbsp;</P><P>So shall just add the two ip's in the same ACL with Actions as Block ?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 29 Jun 2022 10:59:44 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640756#M1091421 shaikh.zaid22 2022-06-29T10:59:44Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640759#M1091422 <P>Correct, just add the two IP in the same ACL with block action, above the permit rule (this is important), and you should be good.</P> Wed, 29 Jun 2022 11:10:00 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640759#M1091422 Marius Gunnerud 2022-06-29T11:10:00Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640763#M1091423 <P>Thanks Marius. I will do as directed.</P><P>&nbsp;</P><P>However, do i not have to touch anything in the flexconfig part ?</P><P>&nbsp;</P><P>Only ACL changes will suffice right ?</P><P>&nbsp;</P><P>Thanks once again</P> Wed, 29 Jun 2022 11:25:16 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640763#M1091423 shaikh.zaid22 2022-06-29T11:25:16Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640767#M1091425 <P>Just the ACL configuration.</P> Wed, 29 Jun 2022 11:33:30 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640767#M1091425 Marius Gunnerud 2022-06-29T11:33:30Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640946#M1091434 <P>For PBR, the Flexconfig policy references the ACL. so changing the ACL suffices to change the net behavior of the Flexconfig policy</P> Wed, 29 Jun 2022 16:07:15 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4640946#M1091434 Marvin Rhoads 2022-06-29T16:07:15Z https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4642722#M1091508 <P>Thank Marius.&nbsp;</P><P>&nbsp;</P><P>It worked.</P> Sat, 02 Jul 2022 08:37:17 GMT https://community.cisco.com/t5/network-security/flexconfig-in-cisco-ftd/m-p/4642722#M1091508 shaikh.zaid22 2022-07-02T08:37:17Z