In an environment where you may have cloud-based managers such as AWS or GCP interacting with on-premises datacenters, it
is crucial to be able to share objects within policies to protect your environment. Shared objects make it easy to maintain
policies because you can modify an object in one place and that change affects all the other policies that use that object.
Without shared objects, you would need to modify all the policies individually that require the same change.
Note that sharing objects is only supported when you deploy an access control policy that allows traffic from your cloud-based
datacenter. Ensure that your policy includes, or excludes, instances or attributes from your third-party datacenter.
Multicloud Defense has the capability to communicate with either a datacenter or a cloud platform, ensuring your policies for security can be
managed anywhere.
Static Objects
Static objects are shared between Multicloud Defense and CDO through a secure VPN tunnel. This allows you to create and share objects that maintain the same IP address or FQDN within
a hybrid environment.
When looking at a shared object, Multicloud Defense shows you the contents of the object in the object table. Shared objects have exactly the same contents. Multicloud Defense shows you a combined or "flattened" view of the elements of the object in the details pane. Notice that in the details pane,
the network elements are flattened into a simple list and not directly associated with a named object.
If you opt to delete an object that is shared, the deletion only occurs in Multicloud Defense. The object continues to exist within CDO.
Dynamic Objects
A dynamic object is an object that specifies one or many IP addresses that are shared between Multicloud Defense and CDO Unlike most other objects, dynamic objects do not have to be deployed to managed devices to take effect; any changes made
to the original object, whether it originates from Multicloud Defense or not, is updated in real time and changes are immediately pushed with the next official deployment.
You must create a connector in CDO and attach the connector to an applicable policy to enable this feature and then import objects to see them in the Multicloud Defense Controller. See About the Multicloud Defense Connector for more information.
Sharing Objects with CDO
When you share objects with CDO they are automatically translated into network objects. This does not affect the original state of the object in Multicloud Defense. If you happen to share dynamic objects there is the option to preserve the original values of the object by creating an
override value. An object override allows you to override the value of a shared network object on specific devices. See Object Overrides for more information.
Note
|
Objects cannot be shared with cloud-delivered Firewall
Management Center.
|