Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rambod_Fard
Participant

why changes need to be installed in another policy-package?

Hello,

I have two DCs and three clusters in each... I've created two separate policy-packages for each of them... When I made a change that is related to one policy-package and after I publish and install that change to the corresponding policy, still it needs to be installed in other policy-package as well.

Would be great if someone helps me to figure it out.

Regards,

Rambod,

8 Replies
Vladimir
Champion
Champion

If you are using a single security domain, (i.e. SMS, not MDS) and you have made changes to the objects present in both policies, this may require installation on all clusters managed by your management server.

0 Kudos
Rambod_Fard
Participant

I am using single security domain (SMS)... but it is not only for the changes to the objects... for instance if I disable one rule in policy A and publish it, I see that change in both policy A and B when I want to install the policy.

0 Kudos
Vladimir
Champion
Champion

What do you have the "Policy Targets" defined as, gateways specific to the policy or "All gateways"?

0 Kudos
Rambod_Fard
Participant

NO! I have selected different GWs for each policy package...

Tomer_Sole
Mentor
Mentor

You shouldn't update the other policy if you made a change that isn't relevant to it.

0 Kudos
Rambod_Fard
Participant

I agree but when I make any changes to policy B (i.e. 5 changes) and publish them, then I want to install policy B I will see the total changes of 5 plus all changes that I published and installed to the policy A as well...

0 Kudos
Tomer_Sole
Mentor
Mentor

This is a limitation of R80.10. Clicking the "5 changes" hyperlink can show the audit logs and from there you can see that these changes are rules that aren't part of Policy B.

We plan to give better diff capabilities in our next releases.

Timothy_Hall
Champion
Champion

Right, the fact that the total number of "changes" shown in the SMS config when preparing to install policy may not necessarily apply to the gateway in question was explicitly called out in my document here:  R80+ Change Control: A Visual Guide

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events