How to prioritise local firewall rules when global rules are also configured in Cisco ASA firewalls managed in CSM

A way for local rules to get checked first when global rules are also configured in Cisco ASA firewalls managed in CSM

With rule inheritance, we can have a local device contain the rules defined in a shared "global" policy in addition to local rules.
CSM can enforce a hierarchy where policies at a lower level (called child policies) inherit the rules of policies defined above them in the hierarchy (called parent policies).

Unfortunately, I ran into this issue that a local subnet would still get access to whatever the first half of the "global" policy allows (above the local rules).

In other words, securing a local subnet with local rules can be tricky when global policies are associated with ASA firewalls in CSM because one half of the "global" policies precedes the local rules and so an isolated subnet will still get access to whatever the preceding global rules allow.

A solution is to create a “DENY-GLOBAL” policy which has only those deny rules that we want to apply on a particular ASA firewall.

Then, we subordinate the actual “GLOBAL POLICY” - as a child policy – to the “DENY-GLOBAL” policy (which will be the parent policy).

Then we associate this bespoke policy with the firewalls.

This way, any changes to the global policy are still automatically updated in the global policy.

To make this more scalable, we could use the override function in the objects used in the “DENY-GLOBAL” parent policy so that one policy can be used on different firewalls.