Policy hierarchies

The policy structure is a hierarchy based on templates.

The structure allows you to:

• Reuse rules without duplicating them.
• Assign and enforce editing rights of different parts of a single policy to different administrators.
• Reduce the resource consumption of the engines.
• Make policies easier to read.

The template and policy hierarchy is flattened when the Policy is transferred to the engines. The policy looks the same to the engines regardless of how it is organized on the Management Server (as long as the rules are in the same order). You can also create sections of conditional IPv4 Access rules that you can insert into the other policy elements. The engine can skip the processing of a conditional block of rules based on whether certain common matching criteria is found in the packet being examined.

If your environment is simple and you do not need the benefits outlined here, you can create a simple policy hierarchy. You can, for example, start with one Firewall Policy built on the provided Firewall Template. The same Firewall Policy can be used on more than one engine. Likewise, you can use the same IPS Policy on any number of IPS engines and Virtual IPS engines, and the same Layer 2 Firewall Policy on any number of Layer 2 Firewalls and Virtual Layer 2 Firewalls.