Install policies

After creating or editing a policy, you must install or refresh the policy on the engine.

Policy installation transfers any new engine configuration information in addition to the policy. Whenever you update the engine’s configuration, you must reload the policy on the engine so that the changes take effect. These changes include, for example, changes in the routing configuration, the VPN configuration, and the properties of the NGFW Engine element itself. You must reload the policy even if the changes are not directly related to the rules in the policy.

Note: When you install a changed or a new Firewall Policy, any existing connections that are not allowed by the new Firewall Policy are dropped. The existing connections allowed by the new Firewall Policy continue uninterrupted. These connections include related connections and authenticated connections on the engines.

If the policy installation fails, the system automatically rolls back to the previously installed configuration. By default, a rollback also occurs if the system detects that the new policy or related configuration (such as routing configuration) does not allow the Management Server to connect to the engines. This safety feature prevents you from inadvertently installing a configuration that would cause the critical management connections to fail.

You can only install Policy elements. Template Policy and Sub-Policy rules are installed as part of the main Policy. A Policy Snapshot is automatically created each time you install or refresh a policy. You can install a policy through the Policy element or through the engine element. The following procedure explains the first method.

Note: You cannot install Layer 2 Interface Policies on engines. Instead, you select the Layer 2 Interface Policy for the NGFW Engine in the Engine Editor.

For more details about the product and how to configure features, click Help or press F1.