Hi Tomer.

Having the gateway receive the last installed policy is all well and good, but if that policy refers to objects that have been modified then there are still going to be issues with business communication. Depending upon the scale of the change then this can take a significant amount of time (significant being relative to the fact that the business will be suffering the outage of one or more services) to fix by individually reverting each affected object.

I'm assuming that your investigations were primarily with end users and as such the majority of such changes would be small-scale with relatively few dramatic changes within their environment? Working for a reseller I get involved with the larger changes where a simple change in ISP can require 50 or so objects to be changed; or the move or a number of VLANs off a core switch to the firewall to name two recent examples.

So, whilst I do understand your view in the context of the run-of-the-mill daily rule changes, when it really matters - the more significant changes to the environment - the answer is unfortunately "yes", the omission of a reversion mechanism that provides the same "snapshot" and roll back features that DRC gave us is unsatisfying. When faced with a maintenance window (which is usually not long enough) I would rather spend the majority of the time trying to fix the issue knowing it is easy (and quick) to roll back, than having to allocate a significant proportion of the maintenance window for potential "return to operations" tasks.

Thanks,

Dave

Dave Hoggan wrote: Having the gateway receive the last installed policy is all well and good, but if that policy refers to objects that have been modified then there are still going to be issues with business communication. Depending upon the scale of the change then this can take a significant amount of time (significant being relative to the fact that the business will be suffering the outage of one or more services) to fix by individually reverting each affected object.

When installing a previous revision, the Gateway gets the rules and objects as they were compiled on the date in the past. Rest assure none of the changes in the Management database since that revision will affect that policy.

I'm assuming that your investigations were primarily with end users and as such the majority of such changes would be small-scale with relatively few dramatic changes within their environment? Working for a reseller I get involved with the larger changes where a simple change in ISP can require 50 or so objects to be changed; or the move or a number of VLANs off a core switch to the firewall to name two recent examples. So, whilst I do understand your view in the context of the run-of-the-mill daily rule changes, when it really matters - the more significant changes to the environment - the answer is unfortunately "yes", the omission of a reversion mechanism that provides the same "snapshot" and roll back features that DRC gave us is unsatisfying. When faced with a maintenance window (which is usually not long enough) I would rather spend the majority of the time trying to fix the issue knowing it is easy (and quick) to roll back, than having to allocate a significant proportion of the maintenance window for potential "return to operations" tasks. Thanks, Dave

We've done visits to customers, partners and service providers, but we're always interested with fresh opinions. So going into this scenario - in the case of 50+ changed objects and rules making a degradation on the network security or performance, assuming you rolled back the changes on the GW's completely, what would typically be the next step to still apply that desired change of the policy?

( I want to be clear - we know that sometimes just cancelling the changes on the 50 object and starting fresh is better than making additional changes on top of what's already been done, and full revert will be available in the next releases, I'm just trying to open this specific example)

Hi Tomer,

The "next step" usually depends upon the customer and their appetite for risk.

With some of our customers the end of the change window can only have one of two outcomes: a fully successful change or a complete reversion. The next stage in these cases is to have the appropriate analysis and re-attempt the entire change in a separate window. Excessive? Not if you have SLAs with a dozen clients and every minute that you are down outside of an agreed window carries punitive financial penalties. So, it is not a question of being "better", but one of meeting the expectations set out. Also, simply rolling back the changes on the gateway (and not the manager) would not only be seen as not leaving things as how they were before the start of the maintenance window, more critically it would mean that there is a difference in the policy and objects on the manager and those on the gateway.

With other customers, hitting the end of the maintenance window with the gateway running the reverted policy and objects whilst the manager is partially restored to its previous configuration would be less of an issue, simply as the business is operational. Outside of the maintenance window the objects could then be manually reverted which, assuming that the engineer has a properly completed project document, would be more an issue of time than anything else.

I guess it depends on the customer but in my experience once the maintenance window is closed there is no "next step" other than to get the change review board to agree to a new maintenance window.

As I said, I can fully understand how having the policy/objects on the gateway revert whilst the manager is reviewed or reverted manually is a nice feature - for small scale changes. Say, a new service being brought online. But for working services that are business critical or changes that have been risk assessed as having potential impact on business operation there needs to be a process by which changes can be utterly, completely and quickly undone.

Thanks,

Dave

Thanks for your feedback.

Hi

Working from the support desk, I have to concur with Dave. DRC has saved hours on numerous occasions instead of attempting to unpick what a customer has done to their latest policy that has gone disastrously wrong.

I can agree with you that such a rollback option would be great in such specific situations and therefore I hope it will be integrated soon, but you have to see the other side of the feature!

If you have now not only 1 administrator carrying out changes during the day (because of policy-lock), but much more, you cannot easily revert to a database revision every time, because you would revert changes of others (you might not be aware of).

On the other hand you can save a lot of time now with R80.x with being able to prepare big changes in advance, as you can work on the changes without publishing them and you or others doing daily work in other sessions.

Therefore the change window could be used better and time for troubleshooting could be saved!