Create a Post
Showing results for 
Search instead for 
Did you mean: 

Global Policy Assignment Question for Multiple CMAs

Hello Everyone,

I noticed at work that we might not be following best practices for global rules hence the reason for this post. We have multiple CMAs for different regions. One for example is Europe and the other Asia. I noticed that the there are global rules setup for common domain controllers however the sources are defined as all global Europe and Asia networks going to a global DC group . Although everything works, this does not seem right to me. The firewall from Europe will check every packet arriving and waste resources trying to match the traffic to networks that do not exist behind it.  Let's say that a packet arrives destine for LDAP, the firewall will still look up all the sources [both Europe/Asia] to attempt a match when it really just needs to look up Europe networks.

Hope this makes sense so far.

The other one that I noticed is that we have two almost identical global rules. One has Asia networks as source and a mix of both Asia/Europe destination hosts. The other is the exact same but using Europe as the source. If rules are processed in order, this means that my Europe CMA firewalls will process the traffic against the first global rule which it will never match and then check it against the rule that is destine for its networks. This again is wasting resources.

My thoughts here and what I am thinking of suggesting is the following. Instead of sharing a single common global policy, only use the global groups. Separate the sites and use global groups within the CMAs where common hosts exists for both regions and not a shared rule in a global policy if part of the sources or destinations will never be matched. This to me seems like a better approach.

Sorry for the long post. Please let me know if more clarifications need to be provided.

0 Kudos
1 Reply

There is another way to do what you what you want. Create what is called some Dymanic global objects, groups in this case, that you can use in the global policy, where instead of creating 2 rules, which have the same function only different source and destination, you create 1 rule with the newly created global dynamic objects in them as source and destination. Naming forGlobal dynamic objects is ending in _global ie Regional_AD_servers_global

In the CMA itself you create a standard simple group with the exact same name as the dynamic object you created in the global rulebase. In the CMA you add the AD servers for that region into that group, it can be global objects or CMA local objects.

this way you can easily create a global rule that is more general than you would expect. We use this to allow access to specific devices or networks that need to be added into the global groups. 

In the global rules we have our management access control towards the FW's themselves, the SSH and GUI access is controlled to be allowed only from specific hosts and the destinations are set by the GBL.Gateways_global group where we add the FW's. I hope this helps and gives you a better idea how to control things in a more elegant way.

Regards, Maarten
0 Kudos