Policy Objects - Are they global or per-network?

Solved
Brian_Scheele
Here to help

Policy Objects - Are they global or per-network?

I am interested in turning on Policy Objects, but I am wondering if it is even worth it yet for how we are managing our networks.  Below is a simple set of firewall rules from a template covering 350 sites.  I have another 50 sites that just cannot be part of a template, and I have to use a more lengthy set of rules, all with CIDR notation.  I would love to just plug in my VLAN names and other objects using defined names instead.  VLAN names, like Management, Users, Wireless, Guests, etc. are going to be the same names at every site, but different IP ranges per network.

 

Can I have a policy object named "Management" that for Network A that covers 10.0.0.0/24, then another one called "Management" for Network B that covers 10.0.1.0/24, etc.?  Or would I be stuck with "Network A Management" and "Network B Management" when I start creating these?  I would love to just use the API to dump in firewall settings and not have to manipulate the data before it is uploaded.

 

Brian_Scheele_0-1623437179382.png

 

1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal

@Brian_Scheele they are org wide, there is only Organization - Policy Objects.  I think the use is more aimed at say access to central servers where multiple networks are traffic to servers x,y and z is allowed, with policy objects you can define the server group once and re-use.

 

Are you managing multiple ASAs on different sites through one console?

View solution in original post

7 Replies 7
CptnCrnch
Kind of a big deal
Kind of a big deal

Policy Objects are an Organization-wide feature.

Correct, but what I want to know is if I create an object and assign it an IP address or range specific to one network, and want to re-use that name in another network, I cannot use a different IP address or range?

 

The Meraki examples that explain how all this works shows an object name, Support, which is 192.168.1.0/24.  Suppose we have support in two buildings with a site-to-site VPN, and the second building also has Support, but with a different subnet.  Does that mean if I want to use an object called Support for that other network, I would have to call it Support 2?  

 

I have never managed any ASA firewalls and had an object whose name could not be assigned a different IP address on another ASA.  Why would I want my object names to be unique organization-wide?  For 50 sites, this will turn into Wireless01, Wireless02, ... WirelessN, and repeat it for every other object I want to create with unique IPs or subnets.  

 

I have not yet flipped the switch on this due to internal policy with betas in a production environment, so I don't have a way to navigate and test.

 

It seems like there should be both Network > Policy Objects and Organization > Policy Objects, and when applying objects to rules, some sort of notation could be displayed so an admin can differentiate them.

cmr
Kind of a big deal
Kind of a big deal

@Brian_Scheele they are org wide, there is only Organization - Policy Objects.  I think the use is more aimed at say access to central servers where multiple networks are traffic to servers x,y and z is allowed, with policy objects you can define the server group once and re-use.

 

Are you managing multiple ASAs on different sites through one console?

 


@cmr wrote:

@Brian_Scheele they are org wide, there is only Organization - Policy Objects.  I think the use is more aimed at say access to central servers where multiple networks are traffic to servers x,y and z is allowed, with policy objects you can define the server group once and re-use.

 

Are you managing multiple ASAs on different sites through one console?


Yes and No.  I use ASDM, which just has multiple saved connections to multiple ASAs, or SSH, but never to more than one ASA at a time, and there is no central repository of objects.  If they have/had a central object repository, it would make life nice, sort of like what Meraki is doing with Policy Objects.  It seems like they missed an opportunity here, but it is still helpful. 

 

From what everyone has responded, it seems like I can make it work, but I would just need to be careful not to accidentally give some random vendor, service, etc. access to multiple sites.  If Users can talk to Printers in one network, then it is quite likely then can talk to printers in any network, and a group object of Printers covering multiple sites is fine.  If a vendor needs access to something in Management, then I get more granular, not just grant access to Management itself, but instead to the exact resources needed.

 

The more I think of it, this probably a good way to go the way it is designed.  Create my objects, assign them to groups, apply rules, policies, etc. - whatever Meraki has enabled so far - to those groups. Not much different than with an ASA...

I always prefix  the object wit a network-identifier and if there are multiple networks with similar objects I put them in a group. But yes, for templated networks, an override-feature would be nice.

>Correct, but what I want to know is if I create an object and assign it an IP address or range specific to one network, and want to re-use that name in another network, I cannot use a different IP address or range?

 

You can not do that.

 

You can create a group called Management and add all the management subnets to it.

GIdenJoe
Kind of a big deal
Kind of a big deal

I personally also use prefixes to differentiate between networks from different branches.

NET_BR1_PRINTERS, HOST_DC1_ESX01, HOST_PUB_GOOGLEDNS-1
And in groups: NETS_BR1_LANS, NETS_ORG_LAN

Get notified when there are additional replies to this discussion.