Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jonathan_Pitt
Participant

Global Policy Rule Handling

Having implemented a Global Policy form my R80.10 CMA's I have come across multiple frustrations with rule numbering and rule identification during verification.

1) When using a, for example, 10 rule Global Policy, ALL domain level rules whether using Inline layer or not) exist as 11.x or 11.x.x.

2) When using a Global Policy (in my case that includes Inline Layers) policy verification errors report a non-existing rule number which makes tracking the issue very difficult.

3) When using Global Dynamic objects and Inline Layer Global Rules, unless the Global Dynamic Object is used at the "top level" Inline Layer rule e.g. 3 then any use of a Global Dynamic Object e.g. at 3.1 doesn't map correctly to the corresponding local domain defined group causing unknown error durring policy installation. This prevents the definition of network object or ANY based top level Inline Layer rules meaning I must essentially define the 5 inline layer source and destinations in the top level rule which makes the inline layer rules a little redundant if I'm already collapsing/defining all the rules into one at the top level (ignoring the security/service granularity benefits)

Are these known issues that are being looked at?

Thanks

3 Replies
Tomer_Sole
Mentor
Mentor

Hi,

Please see this short guide: How do layers work in a multi-domain environment?  The point was that global and local rules are two different rule sets with different permissions, and therefore the local rules are considered a domain layer. This means that the numbering will change in order to reflect the layer representation of the domain rules. So your first concern was a result of the multi-domain layers reconsideration. While it could take a little time to get used to, we were hoping to introduce domain layers this way.

2 and 3 are not supposed to happen. We will report once we have updates on those issues. Thank you for raising this.

0 Kudos
18568
Collaborator

I still have issue 3 with a new R80.40 MDM. Is there still really no way to use a shared global layer with dynamic global objects in the layer?

0 Kudos
SaffaRamma
Participant

Has there been any additional update to 2 and 3 above? We are experiencing the exact same issue which makes troubleshooting policy verification errors nearly impossible to do as the rule numbers in the policy verification output just do not match up with the actualy rule numbers in the policy.

Thanks.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events