Recommended Usage for FlexConfig Policies
There are two main recommended uses for FlexConfig:
-
You are converting from ASA to threat defense, and there are compatible features you are using (and need to continue using) that management center does not directly support. In this case, use the show running-config command on the ASA to see the configuration for the feature and create your FlexConfig objects to implement it. Experiment with the object’s deployment settings (once/every time and append/prepend) to get the right setting. Verify by comparing show running-config output on the two devices.
-
You are using threat defense but there is a setting or feature that you need to configure, e.g. the Cisco Technical Assistance Center tells you that a particular setting should resolve a specific problem you are encountering. For complicated features, use a lab device to test the FlexConfig and verify that you are getting the expected behavior.
The system includes a set of predefined FlexConfig objects that represent tested configurations. If the feature you need is not represented by these objects, first determine if you can configure an equivalent feature in standard policies. For example, the access control policy includes intrusion detection and prevention, HTTP and other types of protocol inspection, URL filtering, application filtering, and access control, which the ASA implements using separate features. Because many features are not configured using CLI commands, you will not see every policy represented within the output of show running-config .
Note | At all times, keep in mind that there is not a one-to-one overlap between ASA and threat defense. Do not attempt to completely recreate an ASA configuration on a threat defense device. You must carefully test any feature that you configure using FlexConfig. |