![background image](http://html1.mh-extra.com/html/3com/3cr990/3cr990_administration-manual_3104117079.webp)
Common problem solutions
73
Policy Enforcement
Suggested Solution
A NIC is not enforcing a policy
■
Check the rules in your policy to make sure that the Test check box is
not
selected, and that the
Enable check box
is
selected (otherwise, the Action field is ignored and filtering skips to the
next rule).
■
The NIC may be in Fallback mode, which you may have assigned as Allow All Traffic. This mode
indicates that the secured computer did not reach its Policy Server the last time it was rebooted.
■
If the NIC reaches the Policy Server on its next heartbeat, it automatically obtains and begins
enforcing its policy.
■
If you want policy enforcement to begin immediately, click the Status button on the NIC window
and the click the Distribute Policy button. The NIC should immediately begin enforcing its policy.
If this action is unsuccessful, verify the communication between the NIC and the Policy Server (see
“Policy Server-to-NIC Communication Check” on page 76).
Unexpected results from policy
enforcement
■
If the wrong traffic appears to be blocked or allowed, policies may have been created using IP
addresses that have since been changed. If so, policies must be updated. Host names used in the
policy may have been mapped to different IP addresses since the policy was last distributed to this
device. For an immediate solution, click Save for this policy (the host names will resolve and the
policy is redistributed to all affected devices). To avoid this problem, systems that you reference in
EFW policies should have static IP addresses, whether you refer to them by host name or IP
address.
■
NICs on a multi-NIC machine might appear NOT to be enforcing the expected policy due to
routing issues. Make sure that the traffic against which you expect a policy to be enforced is
being routed through the card that is enforcing this policy.
■
If the secured computer is not booting up and allowing normal login (that is, if it appears to hang)
you may have an overly restrictive policy. The Windows 2000 Standard rule set and the Windows
NT 4.0 Standard rule sets delivered with the EFW system describe all of the traffic that needs to be
allowed by your policy for the system to boot up normally in a networked setting.
NOTE:
This situation does not imply that you need to add the Windows 2000 Standard or Windows
NT 4.0 rule set to every policy. Rather, it simply implies that your policies cannot disallow traffic that
is allowed by this rule set.