Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
97
Views
1
Helpful
2
Replies

CSDAC and multiple FQDN objects and CSCwh64784

Go to solution
atsukane
Level 3
Level 3

‎11-21-2024 05:06 AM

Hi all,

We are looking to enable/integrate CSDAC on our FMC to better manage ACPs.

However, as we've been hit with CSCwh64784 which is affecting  ACP rules with multiple FQDN objects, wondered whether rules that use Dynamic Objects consisting of multiple FQDN objects would be also affected by this bug?  

CSCwh64784

FTD: Firewall is not matching ACP rules with multiple FQDN objects configured

Symptom: Traffic does not match an ACP rule which has more than one FQDN object specified as source or destination networks. Instead, another rule below will be matched.

Conditions: 1) An ACP rule is configured with more than one FQDN object as a matching condition. 2) There are no IP-based objects in source or destination networks.

Workaround: For FQDN-based rules specify only one FQDN object. If needed, create a separate rule for every FQDN that should be matched.

Please let us know.

Many thanks,

P.s. I've posted a question on the bug thread requesting updates about this bug.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amsathya
Cisco Employee
Cisco Employee

‎11-21-2024 06:12 AM

Hello,

I don't see this bug impacting the use of DynamicObjects. If you use multiple DynamicObjects in rules it should work.
One thing to point out here about DynamicObjects is that currently we support grouping ip addresses using DynamicObjects, it can be used to represent one/multiple fqdns if the object can be kept up to date with the mappings. In other words a DynamicObjects can contain ip addresses/networks but not fqdns as of today.

hth, please do not hesitate to reach out/ask further questions if you have a specific use case in mind.

Cheers!

 

View solution in original post

2 Replies 2

Go to solution
amsathya
Cisco Employee
Cisco Employee

‎11-21-2024 06:12 AM

Hello,

I don't see this bug impacting the use of DynamicObjects. If you use multiple DynamicObjects in rules it should work.
One thing to point out here about DynamicObjects is that currently we support grouping ip addresses using DynamicObjects, it can be used to represent one/multiple fqdns if the object can be kept up to date with the mappings. In other words a DynamicObjects can contain ip addresses/networks but not fqdns as of today.

hth, please do not hesitate to reach out/ask further questions if you have a specific use case in mind.

Cheers!

 

Go to solution
atsukane
Level 3
Level 3
In response to amsathya

‎11-21-2024 06:27 AM

@amsathya Thanks, that's great news. Thanks for confirming. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card