Selective Policy Deployment

Caution

Do NOT push the management center deployments over a VPN tunnel that is terminating directly on the threat defense. Pushing the management center deployments can potentially inactivate the tunnel and disconnect the management center and the threat defense.

Recovering the device from this situation can be very disruptive and require executing the disaster recovery procedure. This procedure resets the threat defense configuration to factory defaults by changing manager from management center to local and configuring the device from beginning. For more information, see Deploying the Management Center Policy Configuration over VPN Tunnel.

The management center allows you to select a specific policy within the list of all the changes on the device that are due for deployment and deploy only the selected policy. Selectively deployment is available only for the following policies:

  • Access control policies

  • Intrusion policies

  • Malware and file policies

  • DNS policies

  • Identity policies

  • SSL policies

  • QoS policies

  • Prefilter policies

  • Network discovery

  • NAT policies

  • Routing policies

  • VPN policies

On the deployment page, after you click Expand Arrow (expand arrow icon) to view device-specific configuration changes, Policy selection (policy selection icon) icon is visible. The policy selection icon allows you to select individual policies or configurations to deploy while withholding the remaining listed changes without deploying them. This option is available only for threat defenses and not for sensors. You can also view the interdependent changes for a certain policy or configuration using this option. The management center dynamically detects dependencies in-between policies (for example, between an access control policy and an intrusion policy), and between the shared objects and the policies. Interdependent changes are indicated using color-coded tags to identify a set of interdependent deployment changes. When one of the deployment changes is selected, the interdependent changes are automatically selected.

Note

  • When the changes in shared objects are deployed, the impacted policies should also be deployed along with them. When you select a shared object during deployment, the impacted policies are automatically selected.

  • Selective deployment is not supported for scheduled deployments and deployments using REST APIs. You can only opt for complete deployment of all the changes in these cases.

  • The pre-deployment checks for warnings and errors are performed not only on the selected policies, but on all the policies that are out-of-date. Therefore, the warnings or errors list shows the deselected policies as well.

  • Similarly, the Inspect Interruption column indication on the Deployment page considers all out-of-date policies and not just the selected policies. For information on the Inspect Interruption column, see Restart Warnings for the Threat Defense Devices.

There are certain limitations to selectively deploying policies. Follow the contents in the table below to understand when selective policy deployment can be used.

Limitations for Selective Deployment

Type

Description

Scenarios

Full deployment

Full deployment is necessary for specific deploy scenarios, and the management center does not support selective deployment in such scenarios. If you encounter an error in such scenarios, you may choose to proceed by selecting all the changes for deployment on the device.

Scenarios wherein a full deployment is required are:

  • The first deployment after you have upgraded the threat defense or management center.

  • The first deployment after you have restored the threat defense.

  • The first deployment after modifications in the threat defense interface settings.

  • The first deployment after modifications in the virtual router settings.

  • When the threat defense device is moved to a new domain (global to sub-domain or sub-domain to global).

Associated policy deployment

The management center identifies interdependent policies which are interlinked. When one of the interlinked policies is selected, the remaining interlinked policies are automatically selected.

Scenarios wherein an associated policy is automatically selected:

  • When a new object is associated with an existing policy.

  • When an existing policy's object is modified.

Scenarios wherein multiple policies are automatically selected:

  • When a new object is associated with an existing policy, and the same object is already associated with other policies, all the associated policies are automatically selected.

  • When a shared object is modified, all the associated policies are automatically selected.

Interdependent policy changes (shown using color-coded tags)

The management center dynamically detects dependencies in-between policies, and between the shared objects and the policies. The interdependency of the objects or policies is shown using color-coded tags.

Scenarios wherein color-coded interdependent policies or objects are automatically selected:

  • When all the out-of-date policies have interdependent changes.

    For example, when an access control policy, an intrusion policy, and a NAT policy are out-of-date. Since access control policy and NAT policy share an object, all policies are selected together for deployment.

  • When all out-of-date policies share an object, and the object is modified.

Access Policy Group specifications

Access Policy Group policies are listed together in the preview window under Access Policy Group when you click Show or Hide Policy (Show or Hide Policy icon).

The scenarios and the expected behavior for Access Policy Group policies are:

  • If the access control policy is out-of-date, all other out-of-date policies under this group, except file policy and intrusion policy, are selected when the access control policy is selected for deployment.

    However, if the access control policy is out-of-date, intrusion and file policies can be individually selected or deselected irrespective of whether the access control policy is selected or not, unless there are any dependent changes. For example, if a new intrusion policy is assigned to an access control rule, it indicates that there are dependent changes, then both the access control policy and the intrusion policy will be automatically selected when either of them is selected.

  • If no access control policy is out-of-date, other out-of-date policies in this group can be selected and deployed individually.