Understanding Deploy Mode in Gateway and Service Views of Edge Services Director
The Deploy mode in Gateway and Service views enables you to deploy configuration changes to devices. You can create a deployment plan for each of the service planning templates, such as the ones defined for ADC or SFW services, and the policy or filter templates, such as the packet filter or SFW policy, that you have created. A deploy plan contains details about the settings and configuration parameters that must be propagated and provisioned on the SDGs managed by Edge Services Director. You can also create, update, display, publish and commission of packet filters, stateful firewall and NAT policies present on discovered and managed SDGs.
This topic describes:
Deploying Configuration Changes
When you make configuration changes in Build mode, the changes are not deployed to devices automatically. You must manually deploy the changes to devices in Deploy mode. Every time you make configuration changes in Build mode that affect a device, the device is automatically added to the list of devices with pending changes. Configuration changes are deployed to devices at the device level. When you deploy configuration changes to a device, all pending configuration changes for that device are deployed.
You can do the following configuration deployment tasks on devices that have pending changes:
Run configuration deployment jobs immediately or schedule them for future times.
Preview pending configuration changes before deploying.
Validate that the pending changes are compatible with the device’s configuration.
Manage configuration deployment jobs.
Configuration changes are validated for each device both in Edge Services Director and on the device. If any part of a configuration change for a device fails validation, no configuration changes are deployed to the device. You can see the results of each validation phase separately.
Edge Services Director does not deploy configuration to a device with a configuration that is out of sync (meaning that the device’s configuration differs from Edge Services Director’s version of that device’s configuration), or to a device that has uncommitted changes to its candidate configuration. Deployment to such devices will fail.
When you schedule a deployment job, that job and any profiles and devices assigned to that job are locked within Edge Services Director. You cannot edit the job or any of its assigned profiles until the job runs or gets cancelled. This locking feature prevents you from deploying unintended configuration changes that could result from editing profiles and devices that are already scheduled to deploy. To change any properties of a scheduled job, cancel the job and create a new scheduled job with the desired properties. You cannot edit the profile assignments of a device that has scheduled pending configuration changes.
The Service Deployment page provides the following functionalities:
Approval Management—View the details of the filters/policies and other service deployment plans which are pending for approval. Approve or reject deployment plans done to existing feature.
Update Devices—View the details of approved filters/policies and other service deployment plans which are ready for commissioning. Commission the deployment plans or discard accordingly.
A transaction refers to an operation or a task that is performed on the service definitions, configuration parameters, and policy settings that are created for provisioning on the devices or Service Delivery Gateways (SDGs). When you create a deployment plan to define the services and policy filters that must be applied and propagated on the devices, the administrator can approve or reject a deploy plan. For each approved deploy plan, a transaction is automatically created by the Edge Services Director application.
Modify the Association of SDG Details and Rule Terms for a Policy Filters
In Gateway view of Deploy mode, from the Policy & Filters page, which displays all the previously configured CGNAT and SFW service policy filters, and packet filters, you can modify the components or the parameter types that are associated with a particular service filter. You must lock the packet filters for which you want to modify the attached rule term components or attributes before you can update the settings. You can also select a different SDG to which the packet filter must be applied.
View Service Object Statistics
In Service view of Deploy mode, you can view a graphical representation in the form of pie charts of the configured ADC, TLB, CGNAT, SFW, and packet policies or filter.
In Gateway and Service views, you can select a previously configured service template instance, such as a stateful firewall, carrier-grade NAT, traffic load balancer, or adaptive delivery controller, and lock the service instance to select the attributes or components of the service to be modified. You can publish or unpublish service template instances.
Policy and Filter Management
The Policy and Filter Management feature in the Junos Space Edge Services Director application helps you create, update, display, publish and commission of packet filters, stateful firewall and NAT policies present on discovered and managed SDGs. The Service Management workspace displays a bar graph of draft, published and approved filters or policies for different options available under workspace:
Packet Filter: This option displays packet filters present on SDGs in tabular view. It also provides the ability to create, update, and delete filters on selected SDGs.
Stateful Firewall: This option displays stateful firewall policies present on SDGs in tabular view. It also provides the ability to create, update and delete stateful firewall policies on selected SDGs.
CGNAT: This option displays CGNAT policies present on SDGs in tabular view. It also provides the ability to create, update and delete CGNAT policies on selected SDGs. A published filter or policy is sent for peer review and approval. After approval, the filter or policy is deployed to devices.