Create a Post
Showing results for 
Search instead for 
Did you mean: 

Policy Preset limitation

Our current setup includes four Multi-Domain Management servers, where Domain Management servers are spread across all of them in order to distribute the load. R80.20 Take 107

The issue/limitation we are facing is that in order for Policy Preset (scheduled or not) to work, we must have Global domain Active on the MDM that holds a DMS with policy targets, what breaks the idea of centralized management and makes policy installation automation far away from straightforward.

Also, for the ones who faced the following warning when creating a new Policy Preset - this is the same problem. make sure that Global Domain is active on the MDM that holds the DMS with policy targets.


Does someone know if there is a plan to improve this or we need to do a RFE?


Additional posts for the similar subjects:

Install Policy Presets not working on R80.20 

6 Replies

Re: Policy Preset limitation

I can also tell you that in R80.30 when you try to install a policy from the MDG in your setup, it's the same as ours, you get an error that is similar but just states that you need to be logged into the MDS that the DMS is on. Also when you look at Sessions, you will only see sessions from the MDS you are logged in to.
Regards, Maarten
0 Kudos

Re: Policy Preset limitation

Yes, you are right.

Was doing some tests regarding policy installation from MDM, and good news is that everything is not that bad as it sounds.
We don't need to set Global Domain Active on MDM where DMS is. In order to run policy installation (scheduled or not) it's enough to be logged into MDM where corresponding DMS is (regardless of it's being secondary or primary DMS)

But what needs to be taken to consideration:
1. Global domain must be active on primary MDS 
2. Last run time is not synchronized across MDMs. If you run policy installation from one MDM, you will not see it on another ones.

It's still quite a limitation for centralized management. We can see all policy packages/target gateways on primary MDM, but not install policy on them.


Re: Policy Preset limitation

Was doing some tests again, and turned out that it is actually that bad as I though at the beginning. 

Basically scheduled policy installation is not working indeed until we set Global domain as Active on the MDM where we have DMS with policy targets. However if you just want to install bulk of policies, you just need to be logged into respectful MDM.


Re: Policy Preset limitation

I would like to share our findings and discussion with R&D team on the issue with policy installation preset. 

1. Regarding the need of switching the Global Domain to the MDS server, which holds the target CMA prior to scheduled policy installation. 

This limitation is documented at R80.20 Administration guide - "Multi-Domain Security Management Administration Guide R80.20, Page 36"

Note - The policy preset is installed on the Multi-Domain Server with the active global Domain. If a domain has no domain server on the Multi-Domain Server with the active global Domain, then the policy preset is not installed on this Domain.

2. While connected to the Primary MDS, the policy installation to the gateways on the secondary, tertiary Multi-Domain Security Management servers is not possible.  

This is also a current product limitation. 

3. If the Global Domain will be changed to the secondary MDS server and the policy installation preset will be triggered, the status of the policy installation preset will not appear on the status task pane on Primary MDS. 

This feature is in product road-map and expected to be resolved in the next releases. 


Re: Policy Preset limitation

3 - Does that also include being able to see the active sessions for the secondary MDS's? As also there the only sessions you see are from the MDS you logged into.
Regards, Maarten

Re: Policy Preset limitation

sorry for the late reply, but I bet it is 🙂