As you know the problem with Global Policy and Global Objects are once they are assigned to a CMA, you cannot edit them in the CMA level. So the same applies to the imported policy and objects on the SMS.
In this example, I am not going to delete the global objects or delete the firewall rules, I am going to keep them in an editable state. But once you make them editable, you can delete them as well.
Few notes on the Global Objects on the SMS (I am only going to speak about the network objects here):
- They got a different icon assigned to them, and
- you cannot edit them :)
So to convert them to local objects we are going to edit the Objects_5_0.C file in $FWDIR/conf directory in the SMS.
Once you edit the file using your favourite text editor (vi in my case), search for the object name and look for the properties
- icon
- global_level
To make it a local object either remove the line :global_level(1) for the object definition or modify it to :global_level(0).
To change the icon of the object remove the "_G" at the end of the icon name. For instance if it's a Host object you will see the property as:
:icon ("NetworkObjects/Nodes/Host_G")
So the modified value would be:
:icon ("NetworkObjects/Nodes/Host")
This will convert the object to a local object and you can modify/delete the object as you wish.
Now let's deal with the policy.
As you know all the firewall policies are written in the file rulebases_5_0.fws. (Make a copy of this file before you proceed).
Open the rulebases_5_0.fws in $FWDIR/conf file with your favourite editor (vi in my case).
You can see all the policy packages defined. Let's assume you only have one policy package + the global policy.
Locate the start of the policy package that you are working on. It's start with:
:rule-base ("##
followed by the policy package name. For instance :rule-base ("##Standard"
All the rules assigned as part of the global policy (either located in the start or the end of the policy package), will have the :global_level(1) value set.
To make this rule local, either delete the line or modify the value to :global_level(0).
Now the rules are made local and you can modify/delete the rules.
Ok now comes the interesting part. Though you have converted the rules in the current policy, to local, any new policy package that you create will have the global policy assigned.
So how do we get rid of this? Glad you asked :).
For this, we'll need to delete the Global Policy package from the rulebases_5_0.fws file. Remove everything under the Global Policy package definition.
:rule-base ("##Global_Rules_Container"
Once you are done with the editing, issue a cpstop;cpstart to reload the database.
OK now we are done. Or are we???
Go ahead and login to the SMS using SmartDashboard. Open the policy package that you were working with.
Did you notice something in the Title Bar? Assigned Global Policy: Policy Package Name.
Hmm.... How do we get rid of this?
For this we'll have to go back to our good old friend Objects_5_0.C file. (Make sure you make copy of this file before you proceed). Edit the Objects_5_0.C file and locate the SMS (in this case the imported CMA) object definition.
Under the object's properties (there's a lot there), you will find the below.
:gp_name (Global policy package name).
For instance :gp_name (Standard)
Delete the value within the parenthesis.
Save the changes and issue a cpstop;cpstart.
