I have a MDM with 5 domains and a global domain.
I would like to use a single global policy in the global domain for all the MDM-server domains.
I would also like to use security zones in the policy - this requires that the security rules are only installed on the Firewall's where the referenced security zones are defined. Otherwise a install error will occur.
I have created the security zones in the global domain and attached these to the relevant Firewall interfaces (in the different domains).
I have created installOn_xyz_global dynamic network objects in the global domain and used these on the InstallOn column for the rules.
I have created installOn_xyz_global groups in the domains - representing the installOn groups for the different rules.
But if a firewall rule is to be installed on Firewall "abc" which is configured in domain 2 then the installOn_abc_global in domain 1 is empty (because the Firewall is not configured in domain 1). Then installOn_abc_global in domain 2 contains Firewall "abc".
But policy installation in domain 1 fails because the InstallOn contains a group (installOn_abc_global) which is empty - and you cannot have an empty group in the installOn column.
How to solve this?
One workaround I have found (but a rather ugly one), is to define a dummy Firewall object (a VPN Edge object) and add this the all the installOn_xyz_groups which are empty. Then I can install the global policy without errors.