Predefined FlexConfig Objects
The predefined FlexConfig objects provide tested configurations for select features. Use these objects if you need to configure these features, which otherwise cannot be configured using the management center.
The following table lists the available objects. Make note of the associated text objects. You must edit these text objects to customize the behavior of the predefined FlexConfig object. The text objects make it possible for you to customize the configuration using the IP addresses and other attributes required by your network and device.
If you need to modify a predefined FlexConfig object, copy the object, make changes to the copy, and save it with a new name. You cannot directly edit a predefined FlexConfig object.
Although you might be able to configure other ASA-based features using FlexConfig, the configuration of those features has not been tested. If an ASA feature overlaps with something that you can configure in management center policies, do not attempt to configure it through FlexConfig.
For example, Snort inspection includes the HTTP protocol, so do not enable ASA-style HTTP inspection. (In fact, you cannot add http to the enableInspectProtocolList object. In this case, you are prevented from misconfiguring your device.) Instead, configure the access control policy to perform application or URL filtering, as needed, to implement your HTTP inspection requirements.
|
FlexConfig Object Name |
Description |
Associated Text Objects |
|---|---|---|
|
Default_Inspection_Protocol_Disable |
Disables protocols in the global_policy default policy map. |
disableInspectProtocolList |
|
Default_Inspection_Protocol_Enable |
Enables protocols in the global_policy default policy map. |
enableInspectProtocolList |
|
Inspect_IPv6_Configure |
Configures IPv6 inspection in the global_policy policy map, logging and dropping traffic based on IPv6 header contents. |
IPv6RoutingHeaderDropLogList, IPv6RoutingHeaderLogList, IPv6RoutingHeaderDropList. |
|
Inspect_IPv6_UnConfigure |
Clears and disables IPv6 inspection. |
— |
|
ISIS_Configure |
Configures global parameters for IS-IS routing. |
isIsNet, isIsAddressFamily, isISType |
|
ISIS_Interface_Configuration |
Interface level IS-IS configuration. |
isIsAddressFamily, IsIsIntfList Also uses the system variable SYS_FTD_ROUTED_INTF_MAP_LIST |
|
ISIS_Unconfigure |
Clears the IS-IS router configuration on the device. |
— |
|
ISIS_Unconfigure_All |
Clears the IS-IS router configuration from the device, including the router assignment from the device interface. |
— |
|
NGFW_TCP_NORMALIZATION |
Modifies the default TCP normalization configuration. |
— |
|
Policy_Based_Routing |
To use this example configuration, copy it, modify the interface name, and use the r-map-object text object to identify a route map object in the object manager. |
— |
|
Policy_Based_Routing_Clear |
Clears Policy Based Routing configurations from the device. |
— |
|
Sysopt_AAA_radius |
Ignores the authentication key in RADIUS accounting responses. |
— |
|
Sysopt_AAA_radius_negate |
Negates the Sysopt_AAA_radius configuration. |
— |
|
Sysopt_basic |
Configures sysopt wait time , maximum segment size for TCP packets, and detailed traffic statistics. |
tcpMssMinimum, tcpMssBytes |
|
Sysopt_basic_negate |
Clears sysopt_basic detailed traffic statistics, wait time, and TCP maximum segment size. |
— |
|
Sysopt_clear_all |
Clears all sysopt configurations from the device. |
— |
|
Sysopt_noproxyarp |
Configures noproxy-arp CLIs. |
Uses system variable SYS_FW_NON_INLINE_INTF_NAME_LIST |
|
Sysopt_noproxyarp_negate |
Clears Sysopt_noproxyarp configurations. |
Uses system variable SYS_FW_NON_INLINE_INTF_NAME_LIST |
|
Sysopt_Preserve_Vpn_Flow |
Configures syopt preserve VPN flow. |
— |
|
Sysopt_Preserve_Vpn_Flow_negate |
Clears the Sysopt_Preserve_Vpn_Flow configuration. |
— |
|
Sysopt_Reclassify_Vpn |
Configures sysopt reclassify vpn. |
— |
|
Sysopt_Reclassify_Vpn_Negate |
Negates sysopt reclassify vpn. |
— |
|
Threat_Detection_Clear |
Clear the threat detection TCP Intercept configuration. |
— |
|
Threat_Detection_Configure |
Configure threat detection statistics for attacks intercepted by TCP Intercept. |
threat_detection_statistics |
|
Wccp_Configure |
This template provides an example for configuring WCCP. |
isServiceIdentifier, serviceIdentifier, wccpPassword |
|
Wccp_Configure_Clear |
Clears WCCP configurations. |
— |
Deprecated FlexConfig Objects
The following table lists objects that configure features you can now configure natively in the GUI. Discontinue using these objects at the earliest convenience.
|
Deprecated Version |
FlexConfig Object |
Description |
Now Configure In |
|---|---|---|---|
|
7.3 |
DHCPv6_Prefix_Delegation_Configure |
Configure one outside (Prefix Delegation client) and one inside interface (recipient of delegated prefix) for IPv6 prefix delegation. To use this template, copy it and modify the variables. Associated text objects: pdoutside, pdinside Also uses the system variable SYS_FTD_ROUTED_INTF_MAP_LIST |
Interface IPv6 Settings. |
|
7.3 |
DHCPv6_Prefix_Delegation_UnConfigure |
Removes the DHCPv6 prefix delegation configuration. |
Interface IPv6 Settings. |
|
6.3 |
Default_DNS_Configure |
Configure the Default DNS group, which defines the DNS servers that can be used when resolving fully-qualified domain names on the data interfaces. Associated text objects: defaultDNSNameServerList, defaultDNSParameters |
Platform settings. |
|
6.3 |
DNS_Configure |
Configure DNS servers in a non-default DNS server group. Copy the object to change the name of the group. |
DNS Server Group in the object manager. |
|
6.3 |
DNS_UnConfigure |
Removes the DNS server configuration performed by Default_DNS_Configure and DNS_Configure. Copy the object to change the DNS server group names if you altered DNS_Configure. |
DNS Server Group in the object manager. |
|
7.2 |
Eigrp_Configure |
Configures EIGRP routing next-hop, auto-summary, router-id, eigrp-stub. Associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary |
For all EIGRP objects, see EIGRP. The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. |
|
7.2 |
Eigrp_Interface_Configure |
Configures EIGRP interface authentication mode, authentication key, hello interval, hold time, split horizon. Associated text objects: eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon Also uses the system variable SYS_FTD_ROUTED_INTF_MAP_LIST |
|
|
7.2 |
Eigrp_Unconfigure |
Clears EIGRP configuration for an autonomous system from the device. |
|
|
7.2 |
Eigrp_Unconfigure_all |
Clears all EIGRP configurations. |
|
|
7.4 |
Netflow_Add_Destination |
Creates and configures a Netflow export destination. Associated text objects: Netflow_Destinations, netflow_Event_Types |
Platform settings. |
|
7.4 |
Netflow_Clear_Parameters |
Restores Netflow export global default settings. |
Platform settings. |
|
7.4 |
Netflow_Delete_Destination |
Deletes a Netflow export destination. Associated text objects: Netflow_Destinations, netflow_Event_Types |
Platform settings. |
|
7.4 |
Netflow_Set_Parameters |
Sets global parameters for Netflow export. Associated text objects: netflow_Parameters |
Platform settings. |
|
6.3 |
TCP_Embryonic_Conn_Limit |
Configures embryonic connection limits to protect against SYN Flood Denial of Service (DoS) attacks. Associated text objects: tcp_conn_misc, tcp_conn_limit |
Service policy. |
|
6.3 |
TCP_Embryonic_Conn_Timeout |
Configures embryonic connection timeouts to protect against SYN Flood Denial of Service (DoS) attacks. Associated text objects: tcp_conn_misc, tcp_conn_timeout |
Service policy. |
|
7.2 |
VxLAN_Clear_Nve |
Removes the NVE 1 configured when VxLAN_Configure_Port_And_Nve is used from the device. |
For all VxLAN objects, see Configure VXLAN Interfaces. If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings. |
|
7.2 |
VxLAN_Clear_Nve_Only |
Clears the NVE configured on the interface when deployed. |
|
|
7.2 |
VxLAN_Configure_Port_And_Nve |
Configures VLAN port and NVE 1. Associated text objects: vxlan_Port_And_Nve |
|
|
7.2 |
VxLAN_Make_Nve_Only |
Sets an interface for NVE only. Associated text objects: vxlan_Nve_Only Also uses system variables SYS_FTD_ROUTED_MAP_LIST and SYS_FTD_SWITCHED_INTF_MAP_LIST |
|
|
7.2 |
VxLAN_Make_Vni |
Creates a VNI interface. After deploying this you have to unregister and re-register the device to properly discover the VNI interface. Associated text objects: vxlan_Vni |