topic Re: Prioritising local firewall rules with global rules also on ASA in Network Security https://community.cisco.com/t5/network-security/prioritising-local-firewall-rules-with-global-rules-also-on-asa/m-p/5075254#M1111520 <P>can you more elaborate&nbsp;</P> <P>MHM</P> Mon, 22 Apr 2024 13:48:20 GMT MHM Cisco World 2024-04-22T13:48:20Z Prioritising local firewall rules with global rules also on ASA https://community.cisco.com/t5/network-security/prioritising-local-firewall-rules-with-global-rules-also-on-asa/m-p/5075187#M1111513 <P><SPAN>How to prioritise local firewall rules when global rules are also configured in Cisco ASA firewalls managed in CSM</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>A way for local rules to get checked first when global rules are also configured in Cisco ASA firewalls managed in CSM</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>With rule inheritance, we can have a local device contain the rules defined in a shared "global" policy in addition to local rules.</SPAN><SPAN><BR /></SPAN><SPAN>CSM can enforce a hierarchy where policies at a lower level (called child policies) inherit the rules of policies defined above them in the hierarchy (called parent policies).</SPAN><SPAN><BR /></SPAN> <SPAN><BR /></SPAN><SPAN>Unfortunately, I ran into this issue that a local subnet would still get access to whatever the first half of the "global" policy allows (above the local rules).</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>In other words, securing a local subnet with local rules can be tricky when global policies are associated with ASA firewalls in CSM because one half of the "global" policies precedes the local rules and so an isolated subnet will still get access to whatever the preceding global rules allow.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>A solution is to create a “DENY-GLOBAL” policy which has only those deny rules that we want to apply on a particular ASA firewall.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Then, we subordinate the actual “GLOBAL POLICY” - as a child policy – to the “DENY-GLOBAL” policy (which will be the parent policy).</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Then we associate this bespoke policy with the firewalls.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>This way, any changes to the global policy are still automatically updated in the global policy.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>To make this more scalable, we could use the override function in the objects used in the “DENY-GLOBAL” parent policy so that one policy can be used on different firewalls.</SPAN></P> Mon, 22 Apr 2024 12:18:30 GMT https://community.cisco.com/t5/network-security/prioritising-local-firewall-rules-with-global-rules-also-on-asa/m-p/5075187#M1111513 ArpadPapp 2024-04-22T12:18:30Z Re: Prioritising local firewall rules with global rules also on ASA https://community.cisco.com/t5/network-security/prioritising-local-firewall-rules-with-global-rules-also-on-asa/m-p/5075254#M1111520 <P>can you more elaborate&nbsp;</P> <P>MHM</P> Mon, 22 Apr 2024 13:48:20 GMT https://community.cisco.com/t5/network-security/prioritising-local-firewall-rules-with-global-rules-also-on-asa/m-p/5075254#M1111520 MHM Cisco World 2024-04-22T13:48:20Z