Re: I'm not sure you get the

bal09 · ‎06-10-2016

Not sure why the ASA is not allowing me to create a new Access Control Policy and any help would be appreciated.

Updated the Sourcefire from 5.4.1 to 6.0.1-29 and now I cannot see where the create a new policy has disappeared to.

Logon to the ASDM and go to configuration > ASA Firepower Configuration > Policies > Access Control Policy

I have the default allow all traffic policy but cannot add anything new

The ASA is licensed with a valid Protection Control / Malware and URL filtering licenses

Philip D'Ath · ‎06-10-2016

Click "Add Rule" near the middle right.

bal09 · ‎06-11-2016

Philip I don't think you understand what i meant the problem is i want to create a new policy and then add rules.

I want to leave the default policy as it is.

Any ideas how to do that ?

Jetsy Mathew · ‎06-13-2016

Hello Bal,

After the upgrade, if you cannot create a new policy then this can be due to the database table issues.After the upgrade does the reboot finished successfully and does the policy reapply was fine ?

This can happen if there is a policy lock file created in the device.

We can say this only looking at the troubleshoot files as well as the database tables. Thus please open a service request with TAC since this has to do with the database tables.

Rate if this answer helps you.

Regards

Jetsy

ankojha · ‎06-11-2016

Hi,

If you are running 6.0 then you will not be able to create access control policy from ASDM and it is as per design as you are managing just single device from ASDM.

There is also a documentation bug reported for the same :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux82138/?reffering_site=dumpcr

If you have Firesight management center, then you can have the option of creating multiple policies as different devices can be added to it.

In your case, from ASDM try add as much rules as you want in the same default policy and if required change the policy name from default to any custom name.

Rate if it helps.

Thanks,

Ankita

bal09 · ‎06-13-2016

Thanks for the reply a huge shame cisco keeps going backwards but I guess they will hopefully resolve this in future releases

Philip D'Ath · ‎06-13-2016

I'm not sure you get the "policies".

A device can only have one policy applied to it. The onboard management can only management the local device - one device. What would be the point of being able to create an extra policy that you could never deploy or assign?

TrustNetworks · ‎12-13-2017

Being able to follow Cisco's own ADSM Quick Start Guide, would be one major reason :o(

gb24119 · ‎04-05-2018

First, before anyone jumps on it, I understand that only 1 Access Control Policy can be applied.

As recently as document ASA with FirePOWER Services Local Management Configuration Guide, Version 6.2.3, there are still instructions to create new policies, so it's frustrating to find it's actually been removed.

I'm just starting to move FirePower modules from 5.4 to 6 and so far, the lack of multiple policies is the one thing I've run into that's going to change the way I'm doing things.

Why would you want multiple policies? some ask. What I use it for is to build a new policy without having to modify the running policy, then deploy when ready. I can then easily roll back if needed. I feel this is a valid reason to have this feature.

ASA 5506-X Sourcefire unable to create new Access Control Policy