In an environment where you may have cloud-based managers such as AWS or GCP interacting with on-premises datacenters, it
is crucial to be able to share objects within policies to protect your environment. Shared objects make it easy to maintain
policies because you can modify an object in one place and that change affects all other policies that use that object. Without
shared objects, you would need to modify all the policies individually that require the same change.
Multicloud Defense shows you a combined or "flattened" view of the elements of the object in the details pane. Notice that in the details pane,
the network elements are flattened into a simple list and not directly associated with a named object.
Note that sharing objects is only supported when you deploy an access control policy that allows traffic from your cloud-based
datacenter. Ensure that your policy includes, or excludes, instances or attributes from your third-party datacenter.
Multicloud Defense has the capability to communicate with either a datacenter or a cloud platform, ensuring your policies for security can be
managed anywhere.
Static Objects
Static objects specifies unchanging IP addresses, subnets, or specific firewall rules to provide predictable and stable configurations
which can be important for compliance and security purposes. In a cloud environment, this allows you to create and share objects
that maintain the same IP address or FQDN within a hybrid environment.
If you choose to delete a shared object, Multicloud Defense deletes it only from its system. The object continues to exist within Security
Cloud Control.
Dynamic Objects
In contrast, dynamic objects do not have to specify an IP address at all. Dynamic objects are adaptable configurations that
automatically adjust to varying conditions or environments. They allow firewalls to respond to real-time events without requiring
manual intervention.
You can also tag resources and use them as objects to create a more fine-tuned ruleset within your policy. This level of fleibiltity within
a cloud environment allows the system to adjust for yoou based on real-time data and can result on reduced maintenance.
Sharing Objects with Security
Cloud Control
Customers who provision Multicloud Defense after August 6, 2025 and want to use Object Sharing will need to contact Cisco Technical Assistance Center (Cisco TAC) to enable this feature.
When you share objects with Security
Cloud Control they are automatically translated into network objects. This does not affect the original state of the object in Multicloud Defense.
To configure object sharing between Multicloud Defense and Security
Cloud Control you must create a connector in Security
Cloud Control and attach the connector to an applicable policy to enable this feature and then import objects to see them in the Multicloud Defense Controller. See About the Multicloud Defense Connector for more information.
If you happen to share dynamic objects there is the option to preserve the original values of the object by creating an override
value. An object override allows you to override the value of a shared network object on specific devices. See Object Overrides for more information.
Note
|
Objects cannot be shared with Cloud-Delivered Firewall Management Center.
|
Feedback