Selective Policy Deployment

The management center allows you to select a specific policy within the list of all the changes on the device that are due for deployment and deploy only the selected policy. Selective deployment is available only for the following policies:

  • Access control policies

  • Intrusion policies

  • Malware and file policies

  • DNS policies

  • Identity policies

  • SSL policies

  • QoS policies

  • Prefilter policies

  • Network discovery

  • NAT policies

  • Routing policies

  • VPN policies

There are certain limitations to selectively deploying policies. Follow the contents in the table below to understand when selective policy deployment can be used.

Limitations for Selective Deployment

Type

Description

Scenarios

Full deployment

Full deployment is necessary for specific deploy scenarios, and the management center does not support selective deployment in such scenarios. If you encounter an error in such scenarios, you may choose to proceed by selecting all the changes for deployment on the device.

Scenarios wherein a full deployment is required are:

  • The first deployment after you have upgraded the threat defense or the management center.

  • The first deployment after you have restored the threat defense.

  • The first deployment after modifications in the threat defense interface settings.

  • The first deployment after modifications in the virtual router settings.

  • When the threat defense device is moved to a new domain (global to sub-domain or sub-domain to global).

Associated policy deployment

The management center identifies interdependent policies which are interlinked. When one of the interlinked policies is selected, the remaining interlinked policies are automatically selected.

Scenarios wherein an associated policy is automatically selected:

  • When a new object is associated with an existing policy.

  • When an existing policy's object is modified.

Scenarios wherein multiple policies are automatically selected:

  • When a new object is associated with an existing policy, and the same object is already associated with other policies, all the associated policies are automatically selected.

  • When a shared object is modified, all the associated policies are automatically selected.

Interdependent policy changes (shown using color-coded tags)

The management center dynamically detects dependencies in-between policies, and between the shared objects and the policies. The interdependency of the objects or policies is shown using color-coded tags.

Scenarios wherein color-coded interdependent policies or objects are automatically selected:

  • When all the out-of-date policies have interdependent changes.

    For example, when an access control policy, an intrusion policy, and a NAT policy are out-of-date. Since access control policy and NAT policy share an object, all policies are selected together for deployment.

  • When all out-of-date policies share an object, and the object is modified.

Access Policy Group specifications

Access Policy Group policies are listed together in the preview window under Access Policy Group when you click View (View button).

The scenarios and the expected behavior for Access Policy Group policies are:

  • If the access control policy is out-of-date, all other out-of-date policies under this group, except file policy and intrusion policy, are selected when the access control policy is selected for deployment.

    However, if the access control policy is out-of-date, intrusion and file policies can be individually selected or deselected irrespective of whether the access control policy is selected or not, unless there are any dependent changes. For example, if a new intrusion policy is assigned to an access control rule, it indicates that there are dependent changes, then both the access control policy and the intrusion policy will be automatically selected when either of them is selected.

  • If no access control policy is out-of-date, other out-of-date policies in this group can be selected and deployed individually.