Object Overrides

An object override lets you customize a shared object for specific devices. When a device has an override, Security Cloud Control uses the override value for that device instead of the object's default value.

Overrides allow you to maintain a single shared policy across devices while tailoring individual object values where needed.

For example, you have a print-server object shared across three offices, with a default value of 10.1.1.100. Office B has a different print-server at 10.2.1.100. Rather than creating a separate object, you add an override for Office B's device with the value 10.2.1.100. Office B's device uses the override; all other devices use the default value.

Overrides on network object groups

Overrides on network object groups fully replace the default values for the devices they are assigned to. A device with an override receives only the override values, not the default values. This means:

  • Changes to the default values (additions, edits, or removals) only affect devices without overrides.

  • Changes to an override only affect the devices assigned to that specific override.

For example, you have a network group dns-servers shared across firewalls at three branch offices (Branch A, Branch B, Branch C). The group has two default values: primary-dns (10.0.1.53) and secondary-dns (10.0.2.53). Branch C also runs a local DNS cache at 10.30.1.53 that needs to be included.

Because overrides on network groups replace the defaults entirely, you cannot just add local-dns-cache as an override for Branch C; that would cause Branch C's firewall to receive only local-dns-cache, losing access to primary-dns and secondary-dns. Instead, you must add all three values (primary-dns, secondary-dns, local-dns-cache) as the override for Branch C.

After this configuration:

  • Branch A and Branch B receive: primary-dns, secondary-dns (from default values)

  • Branch C receives: primary-dns, secondary-dns, local-dns-cache (from its override)

If you later add a new default value tertiary-dns, Branch A and Branch B will receive it automatically, but not Branch C. You need to add tertiary-dns to Branch C's override as well.