Table of Contents
Advertisement
Distributing a Policy to the Network
NOTE: Removing a rule that was in test mode may cause different audit records to
be generated for rules in test mode that came after it in the ACL. The difference
occurs because only one (the first) audit record is generated for each packet due to
a test mode rule.
When you feel comfortable with the policies, you can remove the test mode to fully
implement the policies into your system.
Distributing a policy consists of sending a policy out to one or more EFW devices. This
distribution happens whenever you assign a new device set to a policy or save a policy or
a rule set that is used by a policy. If a device is not online when the Management Console
initiates the action, the policy is distributed to the device when the Policy Server receives
the next wake-up or heartbeat from the device. If you do wish to check whether or not
the policy being enforced on a NIC is current, or to immediately update it, or both, use the
Status button on the NIC window.
NOTE: You cannot distribute a policy to an EFW device if that system is running in a
low power mode, such as standby. Also a NIC that is in a low power mode is not
shown as responding.
When a policy or new configuration information is distributed to EFW devices after saving
it, you see a window indicating the progress of its distribution. The following counts will
appear in the window:
Pending—Distribution processing for these devices has not yet completed.
I
Successful—Policy or configuration information has been successfully distributed to
I
these devices.
Failed—The system encountered an error condition before attempting to contact a
I
device. The policy may contain an unresolveable IP address or may be too large for the
target device. The system may not have a primary or backup policy server available for
the device, or encountered some other unexpected error when preparing to perform
the distribution. This distribution is attempted again (and may fail again) when the
device next sends a wake-up or heartbeat, assuming the policy or configuration
change that initiated this distribution remains in place.
Skipped—Devices have not yet made first contact with the domain, so a distribution
I
was not attempted. Distribution is attempted again when devices make first contact,
assuming the policy or configuration change that initiated this distribution remains
in place.
Timed Out—Devices did not respond to the distribution. Devices may be offline,
I
there may be network problems that prevent the device from being reached, or the
Policy Server did not receive an acknowledgement from the NIC that it received the
distribution. Distribution is attempted again when the device next sends a wake-up or
heartbeat, assuming the policy or configuration change that initiated this distribution
remains in place.
NOTE: If the Failed, Skipped, or Timed Out count is non-zero, click the Details button
to display a list of NICs to which the policy could not be distributed and the details on
the errors.
Distributing a Policy to the Network
55
Advertisement
Table of Contents
Troubleshooting
