![background image](http://html1.mh-extra.com/html/3com/3cr990/3cr990_administration-manual_3104117041.webp)
35
3
Managing EFW Devices
Using the Policy Servers
This chapter provides detailed information about managing EFW devices using the
Policy Servers. It contains the following topics:
■
“What is a Policy Server?” below
■
“Configuring Policy Servers for Redundancy” on page 36
■
“Organizing Policy Servers and EFW Devices” on page 37
■
“Setting up Device Sets” on page 38
■
“Monitoring EFW Status” on page 40
■
“Maintaining EFW NICs” on page 42
What is a Policy Server?
A Policy Server manages the packet-filtering capability of the EFW devices associated with
that server. It stores rules, distributes them to one or more EFW devices, and maintains
audit information generated by the EFW devices. The rules stored on the Policy Server are
configured using the Management Console. The Management Console can reside either
on the same machine as the Policy Server, or on a different, networked machine. Each
Policy Server may be protected by its own EFW device.
Primary and Backup Policy Servers
Each EFW device must be assigned to a primary Policy Server. The primary Policy Server has
initial responsibility for distributing policy updates to EFW devices. Furthermore, each
embedded firewall caches its primary Policy Server locally and contacts that Policy Server
at EFW device initialization (for example, when the secured computer is booted). The
Policy Server is responsible for providing the EFW device policy at initialization time. Each
embedded firewall also caches its backup Policy Servers for use in case the primary Policy
Server is unreachable. If you have two EFW NICs on the same system, they must have the
same primary and backup Policy Servers. Both NICs respond to the last Policy Server
assignments made to either of the NICs in the Management Console.
If you have defined a Policy Server as a backup for another Policy Server, the system
operates as follows:
■
If you request the distribution of a policy or configuration information to an EFW
device from the Management Console and the primary Policy Server for a device is
not available or cannot reach the device, the backup Policy Server(s) attempt to
perform this distribution. If you have not assigned any backup Policy Servers, you are
informed at the Management Console that the operation was not successful.
■
If an EFW device sends a wake-up to the Policy Server and cannot reach its primary
Policy Server, the device attempts to reach its backup server(s), should any be
assigned. If the backup Policy Servers are unavailable or if no backup Policy Servers
have been specified, the device attempts to reach any available Policy Server in that
EFW domain. If the device is unable to reach a Policy Server, it implements its fallback
mode while periodically retrying its primary server.