Install policies

After creating or editing a policy, you must install or refresh the policy on the engine.

Policy installation transfers any new engine configuration information in addition to the policy. Whenever you update the engine’s configuration, you must reload the policy on the engine so that the changes take effect. These changes include, for example, changes in the routing configuration, the VPN configuration, and the properties of the NGFW Engine element itself. You must reload the policy even if the changes are not directly related to the rules in the policy.

Note: When you install a changed or a new Firewall Policy, any existing connections that are not allowed by the new Firewall Policy are dropped. The existing connections allowed by the new Firewall Policy continue uninterrupted. These connections include related connections and authenticated connections on the engines.

If the policy installation fails, the system automatically rolls back to the previously installed configuration. By default, a rollback also occurs if the system detects that the new policy or related configuration (such as routing configuration) does not allow the Management Server to connect to the engines. This safety feature prevents you from inadvertently installing a configuration that would cause the critical management connections to fail.

You can only install Policy elements. Template Policy and Sub-Policy rules are installed as part of the main Policy. A Policy Snapshot is automatically created each time you install or refresh a policy. You can install a policy through the Policy element or through the engine element. The following procedure explains the first method.

Note: You cannot install Layer 2 Interface Policies on engines. Instead, you select the Layer 2 Interface Policy for the NGFW Engine in the Engine Editor.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Expand the Policies branch, then select the policy type.
  3. Right-click the policy you want to install, then select Install Policy.
  4. Select the engines on which you want to install the same policy, then click Add.
    You can install the same policy on several engines at the same time. The SMC tracks the policies installed on engines and automatically selects the Target when possible.
  5. (Optional) Leave Keep Previous Configuration Definitions selected to allow established connections to continue using existing configurations (such as NAT rules) until they finish.
    • If the previous configurations are erased, connections that use them are dropped.
    • All previously established connections that the newly installed policy does not allow are always dropped regardless of this setting.
  6. (Optional) Leave Validate Policy before Upload selected to validate the rules in the policy.
    See
    Note: You cannot validate the policy if you are installing the policy on several engines.
  7. Click OK.
  8. If validation issues are found, read the Issues tab in the Info pane and take one of the following actions:
    • Double-click an issue to view the corresponding configuration.
    • Click Continue.
  9. Check the progress of the installation and make sure that it is successful.
    With multiple engines, the progress is indicated through colored icons on the left (click the icon to view the details):
    • Yellow: Ongoing installation
    • Blue: Waiting for the installations on other components to finish
    • Red: Failure
    • Green: Success