Change to default wipe-out of rules in IC2 management of outbound policies

zegor_mjol · May 6, 2018, 1:07pm

I like the move to Outbound IC2 policy management .

However it has one killing user interface flaw (IMHO).

Scenario: a reasonably sized organization with quite a few balance and max units. Some are naturally grouped, with similar deployments and similar (or identical) policy rules. Some are stand-alone and singular in their policy architecture.

Objective: Deploy outbound policies for a group of routers (call them G1). Leave the rest untouched.

The seemingly obvious tactic is to (1) turn on the IC2 policy control, (2) tag all the members of G1 with a unique tag (e.g., “G1”)), (3) create the policy set for G1, using the “any of the following tags” Device Selection with “G1” being the only tag, (4) hit “save.”

Problem: The policy rules of all the other routers (the ones without the G1 tag) get wiped out, replaced by the factory default set (the persistence policy all by itself).

Request:

(1) Please tell me that I am wrong - this is not how it works (in which case I must have done something incorrectly, and will have to be educated further)

If I am correct, then:
(2) Please change the behavior so that routers not covered by at least one ruleset Device Selection choice are simply left untouched. I.e., the default ruleset is to leave the on-board ruleset alone, to modify only the routers selected by at least one ruleset Device Selection.

To have a default action be to (essentially) perform a factory reset on the policies, and even without an “undo,” is not a good UI practice.

TK_Liew · May 6, 2018, 11:04pm

This is not the expected behavior. Please open ticket for us to take a closer look.

Thanks.

zegor_mjol · May 7, 2018, 2:05pm

The scenario has been replicated (two devices, a new organization) and a ticket submitted.
Ticket #783667.

eglass · January 29, 2020, 3:13pm

I have a similar situation 67 devices online, would like to push out an outbound policy to some perhaps all of the devices.
However every device has existing outbound policies and the default policy is the PepVPN, additionally the the WAN1 and WAN2 ports renamed to their circuit IDs

TK_Liew · January 29, 2020, 9:39pm

@eglass, please read the help text below before you manage the ourbound policy for your devices with InControl2.

It is recommended to apply tag to your devices then manage the outbound policy based on tag.

eglass · February 7, 2020, 9:24pm

@TK_Liew
Thank you for the information.
Seems it might be a good feature to allow a ‘like’ or ‘contains’ so I can name WAN1 something like ‘WAN1 VZN xyz123’ and make an outbound policy something like Source 10.75.1.0/24 Destination 172.32.0.0/24 Enforced Connection ‘WAN1*’

Thanks,
Eric

Michael · February 9, 2020, 5:06pm

I created a mock-up. Anybody seconds?

eglass · February 10, 2020, 6:23am

Michael,
I believe those options would give us great flexibility.

Question/Clarification:
Does setting up an outbound policy in InControl overwrite all the policies on a MAX or Balanced device or would any existing policies (not matching the new global policy) remain?
I see the option to Preserve Outbound policy on devices that receive no rules:

But I am not 100% clear on what this means?

Thanks,
Eric

Michael · February 10, 2020, 8:56pm

You can choose by tag which devices should receive outbound rule sets. After you enabled the outbound policy management option, chosen devices will receive the rule set. Any rules defined on the chosen devices will be overwritten.

Some devices may receive no outbound rules. The above option controls whether to preserve or remove the outbound rules defined on the devices that receive no rule set.