FMC Multi-domain Configuration

lm20ele — Mon, 03 Mar 2025 22:36:38 GMT

For long time we have lived with only the global domain.

Now we are facing the need for at least two domains to isolate admin tasks.

Does moving from global domain to a multitenancy disruptive? is there anything I should be aware before performing the configuration?

I would not like to loose any policy or something.

Thanks

Re: FMC Multi-domain Configuration

Rob Ingram — Tue, 04 Mar 2025 08:04:39 GMT

@lm20ele

You can move devices between domains as long as the source and the target domains are visible from the domain where you are moving the devices. Moving a device between domains can affect the configurations and policies applied to the device. The system retains the following device configurations while moving devices between domains.

Interfaces
Inline sets
Routing
DHCP
Associated objects
SNMP (if available)

The following changes can occur to the configuration of a device when it is moved between domains:

If you want the system to retain the device configurations after the devices are moved to the target domain, ensure that:
- The shared access control policies are in the Global domain. We also recommend that the other shared policies are in the Global domain.
For VPN configurations,
- The site-to-site VPN configurations are in the target domain.
- The remote access VPN configurations and device certificates are in the global or target domain.
- When you assign a remote access VPN policy to a device, you can move the device from one domain to another, only if the target domain is a descendant of the domain in which remote access VPN is configured.
The network objects for SNMP are in the global domain.

You can move the device into any child domain without deleting the enrolled certificate on the device. Specifically:
- If the health policy applied to a moved device is inaccessible in the new domain, you can choose a new health policy.
- If the access control policy assigned to a moved device is not valid or accessible in the new domain, choose a new policy. Every device must have an assigned access control policy.
- If the interfaces on the moved device belong to a security zone that is inaccessible in the new domain, you can choose a new zone.
- Interfaces are removed from:
  - Security zones that are inaccessible in the new domain and not used in an access control policy.
  - All interface groups.

If devices require a policy update but you do not need to move interfaces between zones, the system displays a message stating that zone configurations are up to date. For example, if a device's interfaces belong to a security zone configured in a common ancestor domain, you do not need to update zone configurations when you move devices from subdomain to subdomain.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/740/management-center-admin-74/system-domains.html#task_426EB226536E44DFA1FC1F7258A999F9

topic Re: FMC Multi-domain Configuration in Network Security

FMC Multi-domain Configuration

Re: FMC Multi-domain Configuration