On This Page
Cisco
ASA
- Access Requests
- Device object selection
- Modify Group
- Designer
- Syntax-based change
- Provisioning
- Provisioning in automatic step
- Create/modify group
- Add Access
- Risk Analysis
- Designer
- Verifier
- Syntax-based change instructions
- Provisioning
- Provisioning in automatic step
- Authorization and documentation
- Auto close
- Remove Access
- Designer
- Syntax-based change instructions
- Provisioning
- Provisioning in automatic step
- Decommission Network Object
- Impact Analysis
- Designer
- Provisioning
- Verifier
- Syntax-based commands
- Authorization and documentation
- Clone Network Object Policy
- Designer
- Provisioning (or) Provisioning and Committing
- Verifier
- Rule Decommission
- Designer
- Provisioning
- Provisioning in automatic step
- Verifier, Authorization and documentation
- Auto close
- Rule Modification
- Device object selection (object browser)
- Provisioning
- Syntax-based commands
- Rule Recertification
- Update metadata
Notes for ASA
-
By default, Designer adds network addresses and services inline in rules or groups. To configure Designer to suggest network and service objects, see Setting Designer to Create Objects on Cisco ASA.
Firewall Management Center (FMC)
These features are also supported for cloud-delivered Firewall Management Center.
- Modify Group
- Designer
- Provisioning
- Provisioning in automatic step
- Create/modify group
- Add Access
- Risk Analysis
- Designer
- Provisioning
- Provisioning in automatic step
- Verifier
- Authorization and documentation
- Decommission Network Object
- Impact Analysis
- Designer
- Provisioning
- Verifier
- Authorization and documentation
- Clone Network Object Policy
- Designer
- Provisioning (or) Provisioning and CommittingVerifier
- Rule Decommission
- Designer
- Provisioning
- Verifier
- Authorization and documentation
- Rule Recertification
- Rule Modification
- Device object selection (object browser)
- Provisioning
- Rule Recertification
- Update metadata
Notes for FMC:
-
Add Access - Designer and Verifier are supported for tickets in Topology mode.
-
Access Request - Support for FMC Zones in non-topology mode.
-
Modify Group and Decommission Network Object supports shared groups/global objects.
-
Overriding objects are not supported for Decommission Network Object and Clone Network Object Policy. They are treated as a regular objects .
-
Provisioning is supported for FMC 6.2.3
-
In workflows in which topology is enabled, in the Workflow Properties dialog:
-
If topology is enabled, path analysis now takes Cisco Network Zones into account.
-
If topology is disabled, when the handler selects the Source and Destination devices, the Advanced Options dialog box will display all possible Cisco Network Zone combinations.
-
IOS L3 Switch (IOS or IOS XE)
- Access Requests
- N/A
- Add Access
- N/A
- Clone Server
- N/A
- Modify Group
- N/A
- Remove Access
- N/A
- Rule Decommission
- Rule submission from Policy Browserupdate metadata
- Rule Modification
- Rule submission from Policy Browser
- Rule Recertification
- Update metadata
- Decommission Network Object
- N/A
IOS-XR
- Access Requests
- Manual target selection
- Device object selection
- Modify Group
- Create/modify group
- Add Access
- Risk Analysis
- Verifier
- Designer
- Authorization and documentation
- Auto close
- Remove Access
- Verifier
- Decommission Network Object
- Impact Analysis
- Verifier
- Rule Recertification
- Update metadata
Meraki
- Access Requests
-
Select Meraki as target and auto-target in the Access Request
-
Run Verifier on Meraki
-
Run Designer on Meraki
-
Show Verifier results for Meraki
-
Show Designer results for Meraki
Nexus
- Access Requests
- Manual target selection
- Device object selection
- Modify Group
- Create/modify group
- Add Access
- Risk Analysis
- Verifier
- Designer
- Provisioning
- Provisioning in automatic step
- Authorization and documentation Auto close
- Remove Access
- Verifier
- Decommission Network Object
- Impact Analysis
- Verifier
- Rule Recertification
- Update metadata
-
When running Designer on a Nexus device, it is recommended to avoid changing default group names given by Designer for new groups. This is to avoid ambiguity, because Nexus can have the same group name for multiple groups, per protocol type. If you must rename the default group name given by Designer, take extra caution you don’t override it by choosing an existing group name
Notes for Nexus:
Routers (IOS or IOS XE)
- Access Requests
- Manual target selection
- Device object selection
- Add Access
- Risk Analysis
- Designer
- Syntax-based change instructions
- Provisioning
- Provisioning in automatic step
- Verifier
- Authorization and documentation
- Auto close
- Remove Access
- Designer
- Syntax-based change instructions
- Provisioning
- Provisioning in automatic step
- Verifier
- Rule Decommission
- Verifier
- Authorization and documentation
- Auto close
- Decommission Network Object
- Impact Analysis
- Designer
- Provisioning
- Verifier
- Rule Recertification
- Update metadata
Zone-based Firewalls
- Access Requests
- Manual target selection
- Add Access
- Verifier
- Authorization and documentation
- Auto close
- Rule Decommission
- Update metadata