Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1082
Views
0
Helpful
2
Replies

FMC Managing a cluster of Firewalls

Go to solution
Steve_etc
Level 1
Level 1

‎09-20-2021 11:07 AM

Hi All,

 

Looking for a little direction if possible.

 

We have four Firepower firewalls along an edge at different locations sharing an ACL policy and NAT policy on the FMC. So we make a change in the policy, it is pushed to all four Firewalls.

 

However, there are a handfull of rules that are specific to each Firewall only (and not the others). Say for example, each has it's own specific DMZ which aren't in the same zone/IG as the other firewall interfaces. Now, when I add those rules specific to only one Firewall into the policy and try to push the policy to all Firewalls, I get the "this policy references interface not applicable to this firewall" error (words to that effect) which makes total sense.

 

So what would be best practice in this instance? Ideally, I would like to be able to apply multiple policies to each Firewall...one policy all four firewall have, then a single policy for each of the firewalls containing only the 'locally significant' stuff, but that doesn't seem like a thing.

 

Any advice (such as read about xxxx) would be greatly appreaciated.

 

 

Thanks in advance

Steve

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-20-2021 07:28 PM

I believe you can do this by implementing Access Control Policies with the "Inheritance" feature. More details can be found here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/getting_started_with_access_control_policies.html#task_BE64105A65EF48818499392E831EC638

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-20-2021 07:28 PM

I believe you can do this by implementing Access Control Policies with the "Inheritance" feature. More details can be found here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/getting_started_with_access_control_policies.html#task_BE64105A65EF48818499392E831EC638

0 Helpful

Go to solution
Steve_etc
Level 1
Level 1
In response to Marvin Rhoads

‎09-20-2021 11:56 PM

Great, that looks like what I am after...Thank you for taking the time!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card