Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CSA 5.2 - Assigning Groups

When adding hosts to a group, for example, does a SQL Server get both SQL Server Group and Servers - All Types assigned or is the SQL Server Group good enough? Also, is it best to use the default group or clone the group/s?

Thanks,

Adam

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: CSA 5.2 - Assigning Groups

Adam,

That's pretty much how I do it. The exceptions are when it makes more sense to exclude an application class from certain rules rather than create an exception.

This way it it only has to process it once.

I still have to go through the rules, modules and policies after every upgrade to make sure the exceptions still apply.

Fortunately that happens only a couple of times a year and it's usually immediately apparent if the exceptions aren't working.

Tom

5 REPLIES
Blue

Re: CSA 5.2 - Assigning Groups

For #1 I use both groups since they have different policies. That way they have common Windows server and SQL specific protections.

#2 depends on your preferences.

I leave them in the default groups and make changes to exception rule modules and policies.

Makes upgrades and patching easier.

Tom

New Member

Re: CSA 5.2 - Assigning Groups

exactly, i'm just looking to make upgrades easy. You will create new policies and rules under the Default Groups, correct?

Thanks,

Adam

Blue

Re: CSA 5.2 - Assigning Groups

I create them for the default groups but put them in a separate policy. This keeps the groups clean for upgrade simplicity (usually).

Tom

New Member

Re: CSA 5.2 - Assigning Groups

So, just so i understand what you are doing. You use the default groups and then create NEW rules that get attached to the NEW Policy. Once the all created the new policy gets attached to the default group, correct? Im just trying to simplify the upgrade/hotfix process.

Thanks and sorry for it being so wordy.

Adam

Blue

Re: CSA 5.2 - Assigning Groups

Adam,

That's pretty much how I do it. The exceptions are when it makes more sense to exclude an application class from certain rules rather than create an exception.

This way it it only has to process it once.

I still have to go through the rules, modules and policies after every upgrade to make sure the exceptions still apply.

Fortunately that happens only a couple of times a year and it's usually immediately apparent if the exceptions aren't working.

Tom

159
Views
10
Helpful
5
Replies
CreatePlease to create content