8 Replies Latest reply on Feb 9, 2012 10:15 AM by eelsasser

    central policy



      I am building a Webgateway appliance i want to use ONLY for building policy rules and use this gateway to synchronise policy to other members my cluster members in other regions so any policy change i only want it done on this webgateway and schedule a policy push once a day to all other clsuter members.


      Can it be done? Is there a Mcafee Document Guide that explains how to get it done?


      Thanks in  advance

        • 1. Re: central policy

          Hi Franco,


          You can add this appliance into your Central Management Cluster just like all other cluster members. It is not possibly to schedule a policy push - when in Central Management the policy will be synced immediately and automatically as soon as you click Save Changes.

          If you want to be sure that it is only used for GUI access / policy changes and prevent it from being used a proxy, simply remove the proxy listener port under Configuration > Proxies (short of placing it behind a firewall).




          • 2. Re: central policy


            so on the webgateways  under central management, i need to add the new policy webgateway appliances i will use to synchronize to other appliances? any other config needed?


            Message was edited by: franco.isaac on 2/8/12 4:45:11 PM CST
            • 3. Re: central policy

              Hi Franco,


              You can add it to the cluster by going to Configuration > Add (button in the upper left corner under the appliance tab). Under Configuration > Central Management Configuration,  you'll need make sure that you have its local ip defined at the top and configure the network groups you want it to be a part of.




              • 4. Re: central policy

                i dont want it to be part of any clsuter, i only want to use it to config policy and push to other webgateways in other regions

                • 5. Re: central policy

                  Hi Franco,


                  In order to share policy information, the Web Gateways must be in a Central Management "cluster", as there is no other way for them to share policy information. Perhaps you are thinking of a different type of "cluster"? Don't think of it as any type of network/traffic cluster, it is only for policy sync purposes. The only way to sync the policy without creating a CM "cluster" would be to manually take a backup and then restore it on each of the other Web Gateways, which is a less than ideal scenario.




                  • 6. Re: central policy

                    You can schedule your master policy appliance to back itself up and deposit the .backup file into the same local directory used for the File Server function on port 4713 (or 4714). (I'm away from a machine, so i don't remember the path.)


                    Then on one of the machines in the production cluster, have it schedule a download job from the policy machine (https://policyserverip:4714/files/currentpolicy.backup), immediately followed by a restore job.


                    You could also manually backup the policy appliance's configuration and just deposit the .backup file on any other web server in the network and use that URL do download from.


                    You should only have one machine in the production cluster download and restore the policy. Once this happens, the central management naturally replicates it throughout the rest of the machines.

                    • 7. Re: central policy

                      Thank you both for taking time to assit.


                      eelsasser, yes that what's i  had in mind to schedule a cron job to pull the policy from the polcy machine and restore it on one of the cluster memeber so the cluster should now push that policy to the rest of the members in the clsuter.

                      is there a script you have i could look at to do it?

                      • 8. Re: central policy

                        Central Management has a Scheduled Job feature . On the Policy Appliance, you would backup the configuration with a job.




                        Then on one of the Production appliances in the cluster, schedule a download job, immediately followed by a restore job: