What are the changes that were made in Multi-Domain environments in regard to layers? What is the new "Domain Layer" concept?
Message was edited by: Tomer Sole
Multi-domain policies in R80 utilize the layers concept, in order to segregate different parts of the rulebase for different permission profiles. Since Multi-Domain is a Management server-only concept, many of its features apply for all existing Gateways without the need to upgrade them.
A global policy can be split into different ordered layers. Read all about ordered layers at Layers in R80. For Pre-R80 Gateways, this means that an administrator can add application control rules inside the Global Domain, as well as global threat prevention rules.
Inside a global policy layer, a placeholder for domain rules appears. It represents the place in which the domain rules will be applied. Global rules can be set above and below the placeholder.
Once assign global policy occurs, all of the domain's policies get updated with the global rules. The placeholder from the global domain is seen as a "parent rule for domain policy". Its action is "domain layer", and it has a "domain layer" inside with all the local domain rules. The domain administrator can select a different domain layer, or choose to not have any domain layer at all instead of that placeholder, by clicking the pencil icon in the "action" cell.
When the gateway evaluates the rules in the local policy, if there was no match for the global rules at the top of the rulebase, it starts to evaluate the rules from the domain layer. If there was still no match for those rules, the global rules that were created below the domain layer are evaluated.
Internally, the R80 Management Server uses pointers to revisions of the global domain instead of copying the global rules as it did in R77 Management. "Reassign global policy" updates the local domain to point at the latest revision of the global domain's database.
"Reassign" also checks whether changes were made to the ordered layers in the global policy - for example, if a new ordered layer was added, it attempts to connect it with the next ordered layer in the local domain's policy.
Another concept is the ability to share a layer. A use case could be that the global administrator publishes global layers, and then the domain administrator selects them inside his domain policies the way that he desires.
Retrieving data ...