08-15-2011 11:52 AM - edited 03-11-2019 02:11 PM
I understand from the Cisco documentation that a service-policy applied to an interface on an ASA 5500 series firewall, will override the default global service-policy. However, I am not clear on whether it will override the entire global service-policy, or only the parts where they overlap. In other words, would the resulting service-policy on the interface in question be just what was applied in the service-policy on the interface, completely replacing the global service-policy? Or, would it be a combination of the global and interface service-policies, with the interface one taking precedence where they overlap?
if I wanted an interface to have the same service-policy as the global service-policy plus on other item, can I just add the one item in a service-policy that I apply to the interface, or do I have to replicate all the items from the global policy, plus the one additional item, and apply that to the interface.
Thank you.
08-16-2011 12:19 AM
Hi,
Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with FTP inspection, and an interface policy with TCP normalization, then both FTP inspection and TCP normalization are applied to the interface. However, if you have a global policy with FTP inspection, and an interface policy with FTP inspection, then only the interface policy FTP inspection is applied to that interface.
Here is a doc for detailed study:
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html
Hope this clears out your doubt.
Thanks,
Varun
08-16-2011 05:39 AM
Hello,
Yes, that does clear my doubts about this. Instinctively, I thought that it worked like that, but I could not find anything in the documenatation, or an example that confirmed it.
Thanks,
Paul
08-16-2011 06:07 AM
Glad I could help
-Varun
02-05-2014 12:13 AM
Thank you for your reply!
And what if Cisco ASA is configured with global policy and interface policy. Both policies have ftp inspection and traffic does not match class map for interface policy, but match class map for global policy. Will such traffic be inspected by global policy?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide