Is it possible to have multiple ACP pushed to a pair of FTDs?

Eric R. Jones · ‎07-14-2024

Hello all, we are in the process of having a separate network for physical security devices add. This supports cameras and door sensors etc… We don’t want to put this on the same production network and we don’t wish to manage this ourselves.

The idea is to create a zone for this on our current FMC which supports 4 FTD’s in HA pairs. Two locally and two a remote site. I was wondering if it is possible to have two separate Access Control Policies residing on the FTD’s? So we create a new ACP from the current one with all lovely rules and push that down to the HA pairs of FTD 2130’s, currently but probably going to get upgraded in another year to something else.

The other plan is to simply create a zone for the new devices with a new subnet that doesn’t overlap our production. A currently unused port on the firewall provisioned for them. This is probably the easiest and recommended method.

Marius Gunnerud · ‎07-15-2024

it is not possible to assign two different ACP policies to an FTD. Only one ACP can be pushed. However, you can use the same ACP on several FTD.

If you do not want to use the "production" ACP on this new FTD then I suggest you create a copy of the production ACP and push that to the new FTD. That way any changes to the production ACP will not affect the new ACP.

--
Please remember to select a correct answer and rate helpful posts

Eric R. Jones · ‎07-15-2024

I figured this would be the case. We aren't deploying a new FTD just using the already deployed one. The first idea is to create a new zone, configure unused ports on the FTD's and go from there.

thank you