Tom has been asked to add a rule that applies to only the perimeter firewalls and not the internal
firewalls of all the customers managed by Multi-Domain Management with Provider-1. He sees
that there is one single global policy assigned to all the customers and feels very happy that he will
have to just add one rule in that global policy and reassign and install the policy to all the
customers at once. While doing so, he realizes that this action will also install the rule on the
internal firewalls managed by the CMA’s. He’s afraid that he will now have to put the rule in each
individual policy applied to perimeter gateways. Is he right or is there a better way?
A.
He can create a single rule in the global policy with install on policy targets. While reassigning
the policy to the customers, there is a button on the right side, Select Groups; he can select that
button and designate the perimeter gateways for each customer.
B.
He is right, there is no other way to do it.
C.
He can create a single rule in the global policy with a dynamic object with _global suffix in the
Install On column. Then at each CMA, he can create a group with the same name as the dynamic
object and include the perimeter gateway in that group. Reassigning and installing the policy to all
customers will only install the rule to the perimeter gateway.
D.
He can create a single rule in the global policy and use the negate option in the Install On
column to exclude all the internal firewalls.
Explanation: