cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3153
Views
0
Helpful
4
Replies
pntbaytel
Beginner

ASA Modular Policy Framework - Global vs. Interface

I understand from the Cisco documentation that a service-policy applied to an interface on an ASA 5500 series firewall, will override the default global service-policy.  However, I am not clear on whether it will override the entire global service-policy, or only the parts where they overlap.  In other words, would the resulting service-policy on the interface in question be just what was applied in the service-policy on the interface, completely replacing the global service-policy?  Or, would it be a combination of the global and interface service-policies, with the interface one taking precedence where they overlap?

if I wanted an interface to have the same service-policy as the global service-policy plus on other item, can I just add the one item in a service-policy that I apply to the interface, or do I have to replicate all the items from the global policy, plus the one additional item, and apply that to the interface.

Thank you.

4 REPLIES 4
varrao
Advocate

Hi,

Interface  service policies take precedence over the global service policy for a  given feature. For example, if you have a global policy with FTP  inspection, and an interface policy with TCP normalization, then both  FTP inspection and TCP normalization are applied to the interface.  However, if you have a global policy with FTP inspection, and an  interface policy with FTP inspection, then only the interface policy FTP  inspection is applied to that interface.

Here is a doc for detailed study:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/mpf.html

Hope this clears out your doubt.

Thanks,

Varun

Thanks,
Varun Rao

Hello,

Yes, that does clear my doubts about this.  Instinctively, I thought that it worked like that, but I could not find anything in the documenatation, or an example that confirmed it.

Thanks,

Paul

Glad I could help

-Varun

Thanks,
Varun Rao

Thank you for your reply!

And what if Cisco ASA is configured with global policy and interface policy. Both policies have ftp inspection and traffic does not match class map for interface policy, but match class map for global policy. Will such traffic be inspected by global policy?

Content for Community-Ad