Who rated this post

One hazard with policy presets: they stick around after they've fired, and they reference objects. I was recently involved in upgrading an MDS which had hundreds of these left over referencing firewalls which had been decommissioned years earlier. The references to objects which no longer exist tanked the upgrade, and there doesn't appear to be API support for managing policy presets, so we had to manually delete them.

I wrote a script for recurring policy installations several years ago. I'll clean it up a little and share in a bit. In the main environment I currently manage, we install almost every policy every day Monday through Friday. We find it helps us identify problems more quickly, since we have fewer changes to review since the last push.