https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744178#M533497 <HTML><HEAD></HEAD><BODY><P> Hello,</P><P></P><P>Yes, that does clear my doubts about this.&nbsp; Instinctively, I thought that it worked like that, but I could not find anything in the documenatation, or an example that confirmed it.</P><P></P><P>Thanks,</P><P></P><P>Paul</P></BODY></HTML> Tue, 16 Aug 2011 12:39:57 GMT pncisco216 2011-08-16T12:39:57Z https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744176#M533493 <P>I understand from the Cisco documentation that a service-policy applied to an interface on an ASA 5500 series firewall, will override the default global service-policy.&nbsp; However, I am not clear on whether it will override the entire global service-policy, or only the parts where they overlap.&nbsp; In other words, would the resulting service-policy on the interface in question be just what was applied in the service-policy on the interface, completely replacing the global service-policy?&nbsp; Or, would it be a combination of the global and interface service-policies, with the interface one taking precedence where they overlap?</P><P></P><P>if I wanted an interface to have the same service-policy as the global service-policy plus on other item, can I just add the one item in a service-policy that I apply to the interface, or do I have to replicate all the items from the global policy, plus the one additional item, and apply that to the interface.</P><P></P><P>Thank you.</P> Mon, 11 Mar 2019 21:11:56 GMT https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744176#M533493 pncisco216 2019-03-11T21:11:56Z https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744177#M533495 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P> <IMG border="0" height="2" src="http://www.cisco.com/en/US/partner/i/templates/blank.gif" width="19" /></P><P>Interface&nbsp; service policies take precedence over the global service policy for a&nbsp; given feature. For example, if you have a global policy with FTP&nbsp; inspection, and an interface policy with TCP normalization, then both&nbsp; FTP inspection and TCP normalization are applied to the interface.&nbsp; However, if you have a global policy with FTP inspection, and an&nbsp; interface policy with FTP inspection, then only the interface policy FTP&nbsp; inspection is applied to that interface. </P><P></P><P>Here is a doc for detailed study:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html">http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html</A></P><P></P><P>Hope this clears out your doubt.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 16 Aug 2011 07:19:40 GMT https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744177#M533495 varrao 2011-08-16T07:19:40Z https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744178#M533497 <HTML><HEAD></HEAD><BODY><P> Hello,</P><P></P><P>Yes, that does clear my doubts about this.&nbsp; Instinctively, I thought that it worked like that, but I could not find anything in the documenatation, or an example that confirmed it.</P><P></P><P>Thanks,</P><P></P><P>Paul</P></BODY></HTML> Tue, 16 Aug 2011 12:39:57 GMT https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744178#M533497 pncisco216 2011-08-16T12:39:57Z https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744179#M533498 <HTML><HEAD></HEAD><BODY><P>Glad I could help <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>-Varun</P></BODY></HTML> Tue, 16 Aug 2011 13:07:44 GMT https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744179#M533498 varrao 2011-08-16T13:07:44Z https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744180#M533499 <HTML><HEAD></HEAD><BODY><P>Thank you for your reply! </P><P><SPAN style="font-size: 10pt;">And what if Cisco ASA is configured with global policy and interface policy. Both policies have ftp inspection and traffic does not match class map for interface policy, but match class map for global policy. Will such traffic be inspected by global policy?</SPAN></P></BODY></HTML> Wed, 05 Feb 2014 08:13:40 GMT https://community.cisco.com/t5/network-security/asa-modular-policy-framework-global-vs-interface/m-p/1744180#M533499 Frantsuz21 2014-02-05T08:13:40Z