Configuration Changes that Require Deployment

The system marks out-of-date policies with red status text that indicates how many of its targeted devices need a policy update. To clear this status, you must re-deploy the policy to the devices.

Deployment Required

Configuration changes that require a deployment include:

• Modifying an access control policy: any changes to access control rules, the default action, policy targets, Security Intelligence filtering, advanced options including preprocessing, and so on.

• Modifying any of the policies that the access control policy invokes: the SSL policy, network analysis policies, intrusion policies, file policies, identity policies, or DNS policies.

• Changing any reusable object or configuration used in an access control policy or policies it invokes:

  • network, port, VLAN tag, URL, and geolocation objects

  • Security Intelligence lists and feeds

  • application filters or detectors

  • intrusion policy variable sets

  • file lists

  • decryption-related objects and security zones

• Updating the system software, intrusion rules, or the vulnerability database (VDB).

Keep in mind that you can change some of these configurations from multiple places in the web interface. For example, you can modify security zones using the object manager (Objects > Object Management), but modifying an interface type in a device’s configuration (Devices > Device Management) can also change a zone and require a deployment.

Deployment Not Required

Note that the following updates do not require a deployment:

• automatic updates to Security Intelligence feeds and additions to the Security Intelligence global Block or Do Not Block list using the context menu

• automatic updates to URL filtering data

• scheduled geolocation database (GeoDB) updates