Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
0
Helpful
1
Replies

FMC Multi-domain Configuration

lm20ele
Level 1
Level 1

‎03-03-2025 02:36 PM

For long time we have lived with only the global domain.

Now we are facing the need for at least two domains to isolate admin tasks. 

Does moving from global domain to a multitenancy disruptive? is there anything I should be aware before performing the configuration?

I would not like to loose any policy or something.

Thanks

0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎03-04-2025 12:04 AM

@lm20ele 

You can move devices between domains as long as the source and the target domains are visible from the domain where you are moving the devices. Moving a device between domains can affect the configurations and policies applied to the device. The system retains the following device configurations while moving devices between domains.

  • Interfaces

  • Inline sets

  • Routing

  • DHCP

  • Associated objects

  • SNMP (if available)

The following changes can occur to the configuration of a device when it is moved between domains:

  • If you want the system to retain the device configurations after the devices are moved to the target domain, ensure that:

    • The shared access control policies are in the Global domain. We also recommend that the other shared policies are in the Global domain.

  • For VPN configurations,

    • The site-to-site VPN configurations are in the target domain.

    • The remote access VPN configurations and device certificates are in the global or target domain.

    • When you assign a remote access VPN policy to a device, you can move the device from one domain to another, only if the target domain is a descendant of the domain in which remote access VPN is configured.

  • The network objects for SNMP are in the global domain.

  • You can move the device into any child domain without deleting the enrolled certificate on the device. Specifically:

    • If the health policy applied to a moved device is inaccessible in the new domain, you can choose a new health policy.

    • If the access control policy assigned to a moved device is not valid or accessible in the new domain, choose a new policy. Every device must have an assigned access control policy.

    • If the interfaces on the moved device belong to a security zone that is inaccessible in the new domain, you can choose a new zone.

    • Interfaces are removed from:

      • Security zones that are inaccessible in the new domain and not used in an access control policy.

      • All interface groups.

If devices require a policy update but you do not need to move interfaces between zones, the system displays a message stating that zone configurations are up to date. For example, if a device's interfaces belong to a security zone configured in a common ancestor domain, you do not need to update zone configurations when you move devices from subdomain to subdomain.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/740/management-center-admin-74/system-domains.html#task_426EB226536E44DFA1FC1F7258A999F9

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card