You should understand the following basic concepts to effectively use the application and configure your device. Some of these concepts apply to Multiple Device mode only.
- Rule-Based Policies versus Configuration Settings
There is a fundamental difference between a rule-based policy, such as access policies, and configuration settings, such as authentication settings.
Rule-based policies are an ordered list of policies. A policy is a single rule that defines some aspect of your firewall security policy. For example, deny access to gambling web sites, or require users to authenticate. Incoming traffic is compared against each rule, starting from the top, until a match is found. When matched, the actions defined in the rule are applied to the traffic. Examples include access, identity, and decryption policies.
Configuration settings are simple. You either configure an option or not, and your settings apply to the device as a whole, or to all traffic as a whole. Examples include authentication settings and decryption settings.
- Policy Sets
Rule-based polices are composed of policy sets. A policy set is a named container within which you organize the individual policies or rules. The order of the policies in a policy set matters. In Multiple Device mode, you can share a policy set among devices.
- Policy object
A definition of some characteristic that you can use in a policy. For example, you use a URL object to define the URL category that you want to control access to in an access policy. Because policy objects are separate entities, you can reuse them in multiple policies. In Multiple Device mode, the objects are configured on a device only if a policy configured on the device uses the object.
- Shared versus Local Policies or Settings
In Single Device mode, all policies and settings are local, that is, they apply to the device you are configuring only.
In Multiple Device mode, you have the option to share a policy or setting among devices. In this case, you can consider “policy” to generically apply to any shareable policy or configuration setting.
When you share a policy, each device to which the policy is assigned gets the same settings. For rule-based policies, you share policy sets, so that each device might use shared policies yet include a different collection of policy sets. For configuration settings, you share the entire page of settings.
You cannot share all types of policy. Some settings are global and apply to all devices. Other settings are always local to a single device. For devices configured as high availability pairs, you share policies based on the pair’s logical name, so that each member device gets the same configuration.
- Shared versus Universal Policy Sets
There are two types of shared policy set: shared among specific devices and universal.
Policy sets shared among specific devices are applied to those devices only. Any devices you add to the inventory are not affected.
Universal policy sets are applied to every device (of the correct device type), even devices that you add to the inventory in the future. Thus, you can define a set of policies that should always be enforced (for example, you could always block finger traffic).
Universal policy sets apply to access policies only, and there are two pre-defined ones:
Universal Top—These policies are always at the top of the ordered list of access policies. Traffic is always compared to the matching rules for these policies before any other shared or local policies.
Universal Bottom—These policies are always at the bottom of the list. Traffic is not compared to these rules until all other access policies have been evaluated. This would be where you place a Deny All policy to cover any remaining traffic that is not explicitly allowed, for example.
Whenever you edit policies in a Universal policy set, you are editing them for all devices, whether you do it while configuring a specific device in Device view, or you do it in Repository view.