02-11-2024 09:20 PM
I have been looking at the best approach to push a rule to multiple sites, but using a different value for the source address object at each site. For example, allow http from the users subnet to the internet, and the users subnet is different for each site.
It looks like a single rule can be created and pushed to all the sites, then the value of the source "users" subnet can be override at each site as needed.
Alternatively, the rule can be pushed to a device group containing all the sites, and then an object of the same name can be created in child device groups with the appropriate value.
Essentially, using object inheritance, or object override.
Is one of these approaches best practice and why, or is it use case specific.
Thanks team
02-12-2024 02:37 AM
I would advise against the local override option as that will inevitably lead to problems/confusions/accidents
Relying on inheritance is a good approach as that's predictable and controlled from panorama
02-12-2024 01:21 PM
Thanks for the reply! I did a bit of testing, it looks like if you have an object of the same name created in a parent device group and a child device group, the value on the child device group automatically has the overridden icon and the child device group value is used. (this may be different between versions)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
