Policy revision question

Brentd · #1 (**permalink**) 2007-04-22

Hi

I have two questions;

Q.
How do I know what version of the policy revision I have now loaded in the Smart Center?

Q.
How do I know what revision was last pushed to the gateway?

Thanks
(It would be great if this info could be shown in the GUI)
Brent

melipla · #2 (**permalink**) 2007-04-24

Quote:

Originally Posted by Brentd

How do I know what version of the policy revision I have now loaded in the Smart Center?

There is "Current" and "Previous" [which are numbered]. When you start up the Smart Center, you're looking at the current policy revision.

Quote:

Originally Posted by Brentd

How do I know what revision was last pushed to the gateway?
(It would be great if this info could be shown in the GUI)

Smartview Monitor will show you when the last push date+time was. This will most likely coincide with a policy revision creation time. The only catch is if someone were to load up a previous policy and restore that version...I'm not exactly sure what would happen in that instance--they will be prompted to back up the current revision and prompted to create a new revision when they push said policy, if they don't create those revisions then you'd have a time mismatch between what the firewall reports and the revision history. There are logs in Smartview tracker when a policy is pushed & hopefully when it's reverted, see the "Control" messages.

HTH

Brentd · #3 (**permalink**) 2007-04-24

Hi

I do not know whether you understood my question, maybe I explained it badly..

Take 2:

Lets say you have a policy that you have made 10 revisions of, then for some reason you have had to restore from an earlier one. You then install that policy to the GW, if then you were to restore an earlier one from the revision DB. This now means that your GW has one revision on it the smartcenter has another.

Now I ask the question again, how do I find what revision is on the GW and which I have in the SC... I believe there is a way of doing this (especially the one on the GW, more so than the SC)

Thanks!
Brent

melipla · #4 (**permalink**) 2007-04-25

Quote:

Originally Posted by Brentd

Now I ask the question again, how do I find what revision is on the GW and which I have in the SC... I believe there is a way of doing this (especially the one on the GW, more so than the SC)

Look at the output that Smartview Monitor / cpinfo [for example "/opt/CPshrd-R60/bin/cpstat -f policy fw"] gives you--there's nothing related to revision number. It only knows the date and time the policy was pushed / loaded. Using this information you could infer which revision is installed, for example:

Quote:

Originally Posted by Brentd

Lets say you have a policy that you have made 10 revisions of, then for some reason you have had to restore from an earlier one.

You restore a policy. The policy server is now loaded up on revision 4--there are still 10 revisions in the database. So far so good.

Quote:

Originally Posted by Brentd

You then install that policy to the GW,

You install that policy--since everyone enjoys revision control there's going to be a new revision--now the GW has policy revision 11, with date 4/25/2007 1:47pm.

Quote:

Originally Posted by Brentd

if th you were to restore an earlier one from the revision DB.

You see that revision 4 doesn't have the objects you recently added, so you restore revision 9.

Now the GW is on revision 11 (aka revision 4), smartdashboard is on revision 9 (aka revision 12 when its pushed).

Quote:

Originally Posted by Brentd

This now means that your GW has one revision on it the smartcenter has another.

True, however the timestmp on the GW's policy push will match the timestamp for when revision 11 was created. You can still identify which revision the GW is running--which is what you're after.

In this case it's up to YOU to know that you restored a revision that is not loaded on the gateway. If you cannot control which revision is loaded on the dashboard at any given time, then keep track of what revisions you've made and simply restore it when you start up SmartDashboard. You'll most likely lose changes but I'm guessing you've got bigger problems at this point.

If you're environment is unstable and your firewall reboots while you have an earlier revision restored (yet not pushed) then you may be in a position where you may not be positive as to which revision is loaded. I think the lesson here would be to not restore a revision unless you intend for it to be pushed immediately, and in this case of a rebooting GW I would push the policy again after reboot just to ensure the proper revision were on the GW.

Brentd · #5 (**permalink**) 2007-04-25

This is great information,

thanks again for your reply, I now understand your initial answer much better!

Brent

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode