Object Overrides
An object override allows you to define an alternate value for an object, which the system uses for the devices you specify.
You can create an object whose definition works for most devices, and then use overrides to specify modifications to the object for the few devices that need different definitions. You can also create an object that needs to be overridden for all devices, but its use allows you to create a single policy for all devices. Object overrides allow you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices.
For example, you might want to deny ICMP traffic to the different departments in your company, each of which is connected to a different network. You can do this by defining an access control policy with a rule that includes a network object called Departmental Network. By allowing overrides for this object, you can then create overrides on each relevant device that specifies the actual network where that device is connected.
You can target an object override to a specific domain. In this case, the system uses the object override value for all devices in the targeted domain unless you override it at the device level.
From the object manager, you can choose an object that can be overridden and define a list of device-level or domain-level overrides for that object.
You can use object overrides with the following object types only:
-
Network
-
Port
-
VLAN tag
-
URL
-
Cert Enrollment (PKI)
-
Key Chain
If you can override an object, the Override column appears for the object type in the object manager. Possible values for this column include:
-
Green checkmark — indicates that you can create overrides for the object and no overrides have been added yet
-
Red X — indicates that you cannot create overrides for the object
-
Number — represents a count of the overrides that have been added to that object (for example, "2" indicates two overrides have been added)