https://community.cisco.com/t5/network-security/dstribuited-soho-firewall-system/m-p/4651234#M1091870 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/323069">@l.buschi</a> I would personally prefer to keep the deployment as simple as possible and use a single shared ACP where possible. You do have the ability to use object overrides</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/objects-object-mgmt.html#concept_8BFE8B9A83D742D9B647A74F7AD50053" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/objects-object-mgmt.html#concept_8BFE8B9A83D742D9B647A74F7AD50053</A></P> <P>"You can create an object whose definition works for most devices, and then use overrides to specify modifications to the object for the few devices that need different definitions. You can also create an object that needs to be overridden for all devices, but its use allows you to create a single policy for all devices. Object overrides allow you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices."</P> <P>&nbsp;</P> Fri, 15 Jul 2022 15:01:25 GMT Rob Ingram 2022-07-15T15:01:25Z https://community.cisco.com/t5/network-security/dstribuited-soho-firewall-system/m-p/4651229#M1091869 <P>Hi all,</P> <P>actually I have a system of 10 ASA5506x with firepower distribuited in 10 different locations.</P> <P>The NGS are managed by FMC and I only have a unique access-control policy that can manage all of them.</P> <P>Their configuration is very simple, they only have an inside interface, outside interface and guest interface. They only have a single source PAT using their public outside interface address. No Static NAT and no service aree reachable from outside.</P> <P>Now I have to migrate these ASAs to FTD 1010, my question is:</P> <P>in your opinion,&nbsp;</P> <P>Is it better to create 10 different specific pre-filter rules, 10 specific nat rules and 10 specific access-control rules, or creating a uinque generic nat rule, 1 pre-filter rule and 1 access-control rule would be better?</P> <P>Or a mix&nbsp;</P> <P>Tks</P> <P>Johnny</P> <P>&nbsp;</P> Fri, 15 Jul 2022 14:51:04 GMT https://community.cisco.com/t5/network-security/dstribuited-soho-firewall-system/m-p/4651229#M1091869 l.buschi 2022-07-15T14:51:04Z https://community.cisco.com/t5/network-security/dstribuited-soho-firewall-system/m-p/4651234#M1091870 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/323069">@l.buschi</a> I would personally prefer to keep the deployment as simple as possible and use a single shared ACP where possible. You do have the ability to use object overrides</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/objects-object-mgmt.html#concept_8BFE8B9A83D742D9B647A74F7AD50053" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/objects-object-mgmt.html#concept_8BFE8B9A83D742D9B647A74F7AD50053</A></P> <P>"You can create an object whose definition works for most devices, and then use overrides to specify modifications to the object for the few devices that need different definitions. You can also create an object that needs to be overridden for all devices, but its use allows you to create a single policy for all devices. Object overrides allow you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices."</P> <P>&nbsp;</P> Fri, 15 Jul 2022 15:01:25 GMT https://community.cisco.com/t5/network-security/dstribuited-soho-firewall-system/m-p/4651234#M1091870 Rob Ingram 2022-07-15T15:01:25Z