cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

why changes need to be installed in another policy-package?

Hello,

I have two DCs and three clusters in each... I've created two separate policy-packages for each of them... When I made a change that is related to one policy-package and after I publish and install that change to the corresponding policy, still it needs to be installed in other policy-package as well.

Would be great if someone helps me to figure it out.

Regards,

Rambod,

8 Replies
Vladimir
Pearl

Re: why changes need to be installed in another policy-package?

If you are using a single security domain, (i.e. SMS, not MDS) and you have made changes to the objects present in both policies, this may require installation on all clusters managed by your management server.

0 Kudos
Highlighted

Re: why changes need to be installed in another policy-package?

I am using single security domain (SMS)... but it is not only for the changes to the objects... for instance if I disable one rule in policy A and publish it, I see that change in both policy A and B when I want to install the policy.

0 Kudos
Vladimir
Pearl

Re: why changes need to be installed in another policy-package?

What do you have the "Policy Targets" defined as, gateways specific to the policy or "All gateways"?

0 Kudos

Re: why changes need to be installed in another policy-package?

NO! I have selected different GWs for each policy package...

Re: why changes need to be installed in another policy-package?

You shouldn't update the other policy if you made a change that isn't relevant to it.

0 Kudos

Re: why changes need to be installed in another policy-package?

I agree but when I make any changes to policy B (i.e. 5 changes) and publish them, then I want to install policy B I will see the total changes of 5 plus all changes that I published and installed to the policy A as well...

0 Kudos

Re: why changes need to be installed in another policy-package?

This is a limitation of R80.10. Clicking the "5 changes" hyperlink can show the audit logs and from there you can see that these changes are rules that aren't part of Policy B.

We plan to give better diff capabilities in our next releases.

Re: why changes need to be installed in another policy-package?

Right, the fact that the total number of "changes" shown in the SMS config when preparing to install policy may not necessarily apply to the gateway in question was explicitly called out in my document here:  R80+ Change Control: A Visual Guide

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos