cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted

Policy Package operations in R77.30

We are planning to consolidate to different firewalls running R77  in one firewall. Each of the firewalls have a different policy package attached. So we are thinking of merging  both policy packages with cp_merge and  replacing the existent policy package by the new policy package (the merge of the two policy packages).

 

So at some stage we will do something like the following below at the SmartDashboard

  • Old policy package:
    1. Policy -> Uninstall (included implied rules)
    2. Policy -> Policy Package Installation targets -> Unbind the target
  • New policy package
    1. Policy -> Policy Package Installation targets -> Bind the target
    2. Policy -> Install

Does it make sense? Is there any risk when you do this operation? At some stage the firewall will have no policy package installed (included implied rules). Will the firewall permit or deny everything ?  I assume that it will allow everything until we progress to the second step when we install the new policy. Is there any other way of doing it? 

 

I was also wondering if a gateway could have two different policy packages installed?

0 Kudos
4 Replies

Re: Policy Package operations in R77.30

Luis,

Let's say your final gw is GW1 and it is managed by SMS1, you want to merge a policy from SMS2, when GW1 remains on SMS1 there is no need to uninstall any policy, you just install the new policy you want loaded and you get the question if you are sure that you want to replace it.
Regards, Maarten

Re: Policy Package operations in R77.30

Ok thanks. So I unbind the target for the old policy, I bind target for the new policy and then install.

0 Kudos

Re: Policy Package operations in R77.30

you don't even need to unbind anything. Just make sure that in the new policy the gateway is selected as a installation target.
Regards, Maarten
Wolfgang
Silver

Re: Policy Package operations in R77.30

Luis,

you wrote that you want to consolidate two firewalls in one.

Maarten described the correct way, but maybee if you consolidate more then the rules you have to check for new interfaces, AntiSpoofing,  routing, ProxyARP etc.

And have a look at the install target of the rules and too check your manual and automatic NAT-rules to have the correct gateway defined.

A gateway can not have more then one policy.

Wolfgang

0 Kudos