Global ADOM objects - must they be referenced by a global policy to be used in an ADOM?

Question

Is it possible to use an object defined in the Global ADOM / Global Database within an ADOM without that object being referenced by a global policy?

We put all VIPs for a given customer into a VIP group with a predictable name. But there is no function in FMG to map a Global-level VIP group to multiple ADOMs - or some type of wild-card VIP group that automatically contains all VIPs. So I was hoping I could at least re-use the same address/service groups across all ADOMS.

ergotherego · Answer

Looks like there is a way, but doesn't actually work in 5.4.1 for me.

In FMG if you go to:

Global > Policy Packages > Assign Selected (in the menu bar)

It will pop up with a window and you have the option to "Assign ALL Objects".

However, it generates errors due to service categorization overlaps:

Device level already has object fw_srv_category:Network Services Device level already has object fw_srv_category:Web Access Device level already has object fw_srv_category:General Device level already has object fw_srv_category:Email

A work-around is to group all of your Global addresses into one master group, then do the same with services. Then create a Footer Policy referencing those two groups, and set the policy to deny traffic. That way you can push all Global objects you care about into whatever ADOMs you want to without affecting traffic.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded