4. The ACE Web Application Firewall Manager transmits the policy to the ACE Web Application Firewall.
5. The ACE Web Application Firewall accepts the policy, stops services briefly, re-configures them to enforce the new policy, and restarts the services.
We recommend as a final step in verifying the success of a deployment that you check the status of the I/O processes on the System Management page. If there are problems in the policy, it could prevent the http-server or reactor processes from restarting. You can ensure that all processes are running in the I/O Processes table in the Firewall Status settings.
After completing the steps successfully, the ACE Web Application Firewall enforces the new policy.
Who Can Deploy Policies
In order to deploy a policy (or to approve one for deployment, if approval-based deployment is enabled) a user must have adequate permissions. Specifically, the user must:
• Be an Administrator or Privileged user with the Operations role
• Have access to the Shared subpolicy and the subpolicy to deploy.
Additionally, if approval-based deployment is enabled, the policy or subpolicy itself must be approved for deployment. An Administrator user can always deploy and approve policies. Operations role users may deploy policies if they have access to the subpolicy involved in the deployment as well as the Shared subpolicy. “Any subpolicy” access is required to approve a policy for deployment.
With approval-based deployment, users who do not have access to Shared instead request approval for policy changes to the administrator, who performs the actual deployment.
Deploying a Policy
Deploying a policy makes the changes in the current working policy take effect at the ACE Web Application Firewall. Only Administrator users and Privileged users with the Operations role can deploy policy changes in the web console.
Optionally, an Administrator approval-based deployment can be enabled in the web console. When enabled, only certain users can approve or deploy a policy. The procedure for deploying the policy with approval-based deployment enabled is similar to these standard deployment instructions, with a few extra steps. For more information, see Approval-Based Deployment, page 12-97.
When approval-based deployment is not active, deploy a policy as follows:
Step 1 While logged in to the web console as an Administrator user or as a Privileged user with the Operations
role, if your policy contains subpolicies, set the active subpolicy to the one from which you want to deploy.
If there are subpolicies in a policy, deploying only moves the artifacts in the subpolicy that is active when deployment occurs. If you want to deploy changes from more than one subpolicy, you need to activate each subpolicy and deploy from the subpolicy one-by-one.
Step 2 Click the Deploy Policy button at the top of the page.
If resource-reloading is enabled, the Step 1 of 4: URL Resource Refresh page appears. This page lets you ensure that the policy has the latest versions of any resource files loaded from URL locations, such as certificates. For details, see “Reloading URL-Based Resources at Deployment” section on page 96.
Chapter 12 Deploying the Policy
Deploying a Policy
If resource-reloading is not enabled, the ACE Web Application Firewall Manager displays the Step 1 of 3: Review Changes page. This page summarizes differences between the current policy and the policy to be deployed. For details, see “Selectively Rolling Back Policy Changes” section on page 12-96.
Step 3 If the URL Resource Refresh page appears, click the Reload Resources Now button to upload changed URL-based resources.
The ACE Web Application Firewall Manager attempts to retrieve new copies of all URL-based resources that the policy to deploy uses. It then displays the Review Changes page.
Note Reloading URL-based resources cannot be undone. If you think you may need to revert to a previously saved version of a resource, be sure save a copy of the current version of the resource before you click the Reload Resources Now button.
Alternatively, click Continue To Next Step to skip reloading resources.
Step 4 Click the Continue to Next Step button to continue the deployment process.
The Step 2 of 3: Basic Policy Review page lists conditions that would prevent successful deployment. Links on the page provide access to affected policy objects so you can make any changes needed to fix the problems.
To discontinue deploying the new policy, click the Exit To Policy Manager button.
Step 5 Review and, if necessary, address any compilation warnings or errors displayed.
The ACE Web Application Firewall Manager performs extensive compile-time policy checking to help ensure the integrity of the deployed policy. As you resolve each potential problem, the ACE Web Application Firewall Manager removes its associated warning from the Basic Policy Review page. To return to the Basic Policy Review page after resolving a problem, use your browser's Back button. Alternatively, click the Deploy button to restart the deployment process.
Step 6 When you have addressed the warnings on the Basic Policy Review page, click the Continue To Next Step button to continue the deployment process.
The Compile and Deploy page appears. A “Please wait” message may appear for several seconds as the policy is compiled. Compilation transforms the policy to the native executable format of the ACE Web Application Firewall. When finished, the page displays information about the compiled policy, including its timestamp and the ID number assigned by the ACE Web Application Firewall Manager.
Step 7 Type a description for this policy version in the Policy Description field.
This description helps to document the policy in the console. It appears in the Description column of the policy history. By default, this is an optional field. However, the administrator of the ACE Web Application Firewall Manager can make descriptions required from the Manager Settings page.
Step 8 Specify the appliances to which you want to transfer the compiled policy by checking the box next to its address or hostname. An out-of-date status for a Firewall indicates that the compiled policy is different from the currently deployed policy.
Note It's possible to deploy a policy to some but not all of the appliances in a cluster. Do not do this, however, unless you are certain of the reasons for it. This is not a normal deployment strategy for the ACE Web Application Firewall. Under normal circumstances you should deploy the policy either to all or to none of the Firewalls controlled by the ACE Web Application Firewall Manager in a given cluster.
Chapter 12 Deploying the Policy