Create a Post
Showing results for 
Search instead for 
Did you mean: 

MDM and global policies with security zones

I have a MDM with 5 domains and a global domain.

I would like to use a single global policy in the global domain for all the MDM-server domains.
I would also like to use security zones in the policy - this requires that the security rules are only installed on the Firewall's where the referenced security zones are defined. Otherwise a install error will occur.
I have created the security zones in the global domain and attached these to the relevant Firewall interfaces (in the different domains).
I have created installOn_xyz_global dynamic network objects in the global domain and used these on the InstallOn column for the rules.
I have created installOn_xyz_global groups in the domains - representing the installOn groups for the different rules.
But if a firewall rule is to be installed on Firewall "abc" which is configured in domain 2 then the installOn_abc_global in domain 1 is empty (because the Firewall is not configured in domain 1). Then installOn_abc_global in domain 2 contains Firewall "abc".
But policy installation in domain 1 fails because the InstallOn contains a group (installOn_abc_global) which is empty - and you cannot have an empty group in the installOn column.
How to solve this?

One workaround I have found (but a rather ugly one), is to define a dummy Firewall object (a VPN Edge object) and add this the all the installOn_xyz_groups which are empty. Then I can install the global policy without errors.



2 Replies

Instead of using a installOn_xyz_global for each domain, you create one that you use in all domains, per domain you add the gateways within that domain which need the global Security Zones policy.

When you have domains that do not use the security zones you create a different Global  policy and assign that to those domains.

Regards, Maarten
0 Kudos

Yes, I know you can do it with multiple global polices, but my goal is to use a single global policy.