Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Collaborator

Policy Package operations in R77.30

We are planning to consolidate to different firewalls running R77  in one firewall. Each of the firewalls have a different policy package attached. So we are thinking of merging  both policy packages with cp_merge and  replacing the existent policy package by the new policy package (the merge of the two policy packages).

 

So at some stage we will do something like the following below at the SmartDashboard

  • Old policy package:
    1. Policy -> Uninstall (included implied rules)
    2. Policy -> Policy Package Installation targets -> Unbind the target
  • New policy package
    1. Policy -> Policy Package Installation targets -> Bind the target
    2. Policy -> Install

Does it make sense? Is there any risk when you do this operation? At some stage the firewall will have no policy package installed (included implied rules). Will the firewall permit or deny everything ?  I assume that it will allow everything until we progress to the second step when we install the new policy. Is there any other way of doing it? 

 

I was also wondering if a gateway could have two different policy packages installed?

0 Kudos
4 Replies
Highlighted
Champion
Champion

Luis,

Let's say your final gw is GW1 and it is managed by SMS1, you want to merge a policy from SMS2, when GW1 remains on SMS1 there is no need to uninstall any policy, you just install the new policy you want loaded and you get the question if you are sure that you want to replace it.
Regards, Maarten
Highlighted
Collaborator

Ok thanks. So I unbind the target for the old policy, I bind target for the new policy and then install.

0 Kudos
Highlighted
Champion
Champion

you don't even need to unbind anything. Just make sure that in the new policy the gateway is selected as a installation target.
Regards, Maarten
Highlighted
Leader
Leader

Luis,

you wrote that you want to consolidate two firewalls in one.

Maarten described the correct way, but maybee if you consolidate more then the rules you have to check for new interfaces, AntiSpoofing,  routing, ProxyARP etc.

And have a look at the install target of the rules and too check your manual and automatic NAT-rules to have the correct gateway defined.

A gateway can not have more then one policy.

Wolfgang

0 Kudos