Solved: Re: Firepower Policy and Domain Question

ChristopherCraddock66504 · ‎02-08-2021

Community,

In the FMC, is there a way to move an Access Control Policy that was created under a subdomain into the "Global" domain? Or do I have to completely recreate the policy in the Global Domain view? When I try to copy the policy it just places it in the same domain as the original.

Thank you.

Oliver Kaiser · ‎02-09-2021

That is not correct, you can just export the policy from the source domain and import it to the destination domain

1) Goto Policies > Access Control > Import/Export

2) Select the policy you want to export and press "Export" -> .sfo File will be saved to Disk

3) Change Domain to "Global" and click on "Upload Package"

4) Choose the file you exportet from Child Domain

5) Hit Import

6) Set "Import as new" or just keep the same name - I'd recommand "Import as new" to not create duplicate names

7) Wait a few seconds/minutes - A task will be scheduled and the policy should be right the in the other domain - objects from childdomain will be imported as well, just keep that in mind (policy objects like Realms might need to be remapped on Import)

Hope that helps

View solution in original post

Marius Gunnerud · ‎02-08-2021

You would need to recreate the ACP rules in the Global domain. You can however automate this using API.

--
Please remember to select a correct answer and rate helpful posts

Oliver Kaiser · ‎02-09-2021

That is not correct, you can just export the policy from the source domain and import it to the destination domain

1) Goto Policies > Access Control > Import/Export

2) Select the policy you want to export and press "Export" -> .sfo File will be saved to Disk

3) Change Domain to "Global" and click on "Upload Package"

4) Choose the file you exportet from Child Domain

5) Hit Import

6) Set "Import as new" or just keep the same name - I'd recommand "Import as new" to not create duplicate names

7) Wait a few seconds/minutes - A task will be scheduled and the policy should be right the in the other domain - objects from childdomain will be imported as well, just keep that in mind (policy objects like Realms might need to be remapped on Import)

Hope that helps

Marius Gunnerud · ‎02-09-2021

Yes, but that is if you want to move the whole ACP policy into Global. But if you are trying to just move some rules, this is not possible as of yet.

--
Please remember to select a correct answer and rate helpful posts

Oliver Kaiser · ‎02-09-2021

Yeah that is correct, but the question was only about copying/moving the whole policy and not a single rule.

ChristopherCraddock66504 · ‎02-09-2021

Oliver/Marrius,

Thank you both very much for your replies! Yes, I was looking to move the entire policy from their current domain to the Global Domain. I did have one final question regarding this process. The Interface Zone objects that are part of each policy do not exist in the Global Object database, just in their respective domains. If I move a policy that references Interface Zone objects that are NOT in the Global domain DB, will this be a problem? I have interface zone objects in each policy that have the same name but different interfaces assigned.

Thank you.