Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3406
Views
5
Helpful
6
Replies

multiple Configuration Master on SMA

bastianhoss
Level 1
Level 1

‎02-18-2016 12:11 PM

Hi community,

I'm looking for multiple Configuration Master on SMA. Or contexts or something else. 

Thank you.

Labels:
0 Helpful
6 Replies 6

Handy Putra
Cisco Employee
Cisco Employee

‎02-21-2016 09:32 PM

Hi,

SMA appliance does do multiple configuration masters with multiple WSAs however you need to be aware of below:

1. SMA will require centralise configuration master feature key to be available and valid

2. Depending on which version that the SMA is running. Certain SMA version can only support certain configuration master version. See below for the compatibility matrix for SMA with WSA and ESA:

http://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma_all/SMA-ESA-WSA_Compatibility.pdf

0 Helpful

bastianhoss
Level 1
Level 1
In response to Handy Putra

‎02-21-2016 11:30 PM

Hi,

Thank you for supporting me in this case.

Multiple WSAs are managable for sure. But not multiple (and different) configurations, right ?

0 Helpful

Handy Putra
Cisco Employee
Cisco Employee
In response to bastianhoss

‎02-23-2016 04:46 PM

In SMA appliance you can create multiple configuration master (CM) versions, for example you can create CM8.0 and also CM 7.7 and CM 8.7 and you can assigned each CM to different WSA appliances however the version in each WSA need to match with the version of the CM that you assigned to it and each CM can have different configurations.

Another functionality that we have in SMA as well, if you are using single CM for multiple WSA appliances. In "Identity" configuration and when you add or edit the Identity configuration, you will have option called "Include These Appliances" under the "Membership Definition" section and from there you can select which WSA appliance that you want this Identity configuration to be apply to or apply to all WSA appliances.

0 Helpful

Ken Stieers
VIP
VIP
In response to bastianhoss

‎02-23-2016 04:54 PM

Right... if you have multiple WSAs on version x, they all have to use the same configuration/configuration master, so they get the same config

You can have different configurations on different versions.

If you need different configs for several WSAs, you have to manage each set on its own SMA/SMAv

John Telford
Level 1
Level 1
In response to Ken Stieers

‎06-01-2018 08:36 AM

2018 now and this still appears to the case.
It's not possible to have different configurations run on different WSA's that are on the same AsyncOS.
0 Helpful

jmhouse96
Level 1
Level 1
In response to John Telford

‎08-06-2018 11:16 AM

There is a way to have different configurations on different WSA's that are managed by a single SMA. I am not sure this is why Cisco created this feature because most people I talk to that support the SMA seem to be unaware of this feature. When you create a Identity Policy under membership Definition you can select which WSA appliances this policy applies to. When you push policy you still push the policy to all WSA's and only the appliances chosen here show the policy created. 

 

I have done some basic testing with this, but have not done this in production as of yet. We are in a long term change for web proxy and when the time is right I am going to use this feature unless I can create a more uniform blanket policy across our different locations. 

0 Helpful
Customers Also Viewed These Support Documents