About Policies
Policies and managed-appliance groupings together facilitate centralized configuration. Before you create policies, you’ll want to arrange managed appliances that share common configuration settings into logical groups. For example, you might create groups based on geography or business function.
The SCC uses a hierarchical group model with the default Global group as the root. All user-defined groups and managed appliances are contained within the Global group. A managed appliance can be a member of only one group.
Policies are sets of common configuration options that can be shared among different appliances independently or through group membership. You can specify a policy to a single SteelHead, or it can represent settings for all of the appliances in your enterprise environment.
The following policy types are available:
• Policy—A configuration you can apply as a common configuration template to multiple appliances.
• Appliances Specific Pages—A configuration you can create on a per-appliance basis: for example, interface IP addresses.
Policies consist of one or more policy pages. Policy pages generally correspond to a feature (or part of a feature) and are organized into categories: networking, optimization, branch services, and so on.
You must enable a policy page to push the settings you configure. You can assign each group of appliances, or a single appliance, any number of policies if there’s no conflicting configuration among those policies.
Configuring policies
Policy settings are under Manage > Services: Policies.
You can create configuration sets for networking, optimization, branch services, system settings, and security.
When you add or edit a policy, you can provide a name, description, and CLI commands. Then, you can specify the sets of configuration options (policy pages) you want to include. You can also, specify which individual policy pages, or the policy as a whole, to include in push operations.
To save time, you can copy existing local policies and import policies from managed appliances. If you want to combine separate policies into one, you can merge them.
When you create a policy by importing the configuration of a managed appliance, QoS, path selection, and secure transport configurations aren’t imported. You’ll need to configure these features on the controller. The controller’s global policy contains those features.
Although creating a policy from a running appliance configuration is useful, you can end up with as many policies as there are appliances. Consider a group and policy plan before beginning to import SteelHead configurations into policies.
When you assign a policy to a group (of managed appliances) all subgroups inherit that policy. Similarly, specific feature sets in individual policies can be enabled. In that case, they override the values that would otherwise be inherited from a parent group.
You can also assign different policies directly to groups and appliances. For flexibility, the policy you apply can also be configured to inherit or override specific feature-set values from the nearest parent group. For example, in the Policies page:
• a group uses optimization policy accG, whose in-path rules feature set specifies four in-path rules.
• an appliance in that group uses optimization policy accA, whose in-path rules feature set specifies only three rules.
• Unselect the Enable Rule option for in-path rules in the accA policy definition to ensure that the appliance uses the accG in-path rules settings.
A page conflict error message displays when you can’t enable or push a policy page due to a conflict. The error message summarizers which policy pages are in conflict with each other. In addition, it tells you if more than one policy is assigned to an appliance or appliance group. The conflicting pages can’t be pushed to an appliance or an appliance group until the conflict is resolved.
You can use the SCC-managed appliance group hierarchy and policy inheritance to streamline your policy design and configuration push. For example, if you want to apply port labels universally to every SteelHead in the environment, but NTP servers are specific to different locations, you can create two different networking policies. Apply the first policy for the port labels at the Global group level, and apply the second policy for the NTP servers at the data center group level or to the managed appliance.
You can assign policies to appliances and groups under Manage > Topology: Appliances. Policies are optional for groups and appliances.
Pushing policies
In the SCC, the push symbol indicates that there have been policy or configuration changes on the controller that haven’t been pushed to managed appliances. The symbol also indicates that the configuration of the managed appliances is different from the current policy configurations on the controller. You can fetch the appliance configuration from the Appliance Utilities tab in the Appliances page, but there’s no automatic comparison of this configuration against the controller’s policy configuration. The symbol doesn’t persist after an SCC reboots.
1. Choose Manage > Topology: Appliances.
2. Select Appliance Operations.
3. Select Push Policies from the drop-down list.
4. Select the appliances or groups or both where the policies are to be pushed.
5. Push the policies.
6. To see the success or failure of the push, choose Manage > Operations: Operations History. Select the date and time to see pushed details.
When the push is successful, the Appliances page shows an empty Push Recommended column.
As a best practice, make a copy of the policy before applying major changes to it. If the changes do not work as expected, you can reassign the previous policy to the affected SteelHeads and repush it to roll back the changes. You can delete the previous policy after changes are successfully applied.
The policy push operation from the SCC is atomic; that is, configuration nodes on the SteelHead aren’t left in a partially configured state.