Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Policy and Filter Management Overview

 

The Policy and Filter Management feature in the Junos Space Edge Services Director application takes care of creation, update, display, publish and commission of packet filters, stateful firewall and NAT policies present on discovered and managed SDGs. The Service Management workspace displays a bar graph of draft, published, and approved filters or policies for different options available under workspace.

  • Packet Filter: This option displays packet filters present on SDGs in a tabular layout. It also provides the ability to create, update and delete filters on selected SDGs.

  • Stateful Firewall: This option displays stateful firewall policies present on SDGs in a tabular layout. It also provides the ability to create, update, and delete stateful firewall policies on selected SDGs.

  • CGNAT: This option displays CGNAT policies present on SDGs in a tabular layout. It also provides the ability to create, update, and delete CGNAT policies on selected SDGs. After a filter or policy is published, it goes for peer review and approval. After approval, the filter or policy is deployed to the device.

The Service Deployment page provides the following functionalities:

  • 1. Approval Management – View the details of the filters/policies and other service deployment plans which are pending for approval. Approve or reject deployment plans done to existing feature.

  • 2. Update Devices – View the details of approved filters/policies and other service deployment plans which are ready for commissioning. Commission the deployment plans or discard accordingly.

States and Transitions of Policies or Filters

A filter has the following states:

  • New

  • Updated

  • Deleted

A user can carry out following operations depending on the status of a filter:

  • Add – To create a new filter for Zone, SDG or Host.

  • Update – Update exiting filter on SDG.

  • Delete – Delete existing filter on SDG.

  • Send for Deployment—Deploy the policy and filter instance on the associated standalone SDG or SDGs in a high availability pair.

    You can perform the following tasks with a deployment plan created for provisioning a policy on SDGs:

    • Publish – Publish new, updated or deleted filter for administrator or designer approval.

    • Unpublish – Unpublish the published filter to do more changes. The filter returns to the “Draft” status.

    • Approve – An administrator or designer approves the published filter.

    • Reject – An administrator or designer rejects the published filter.

    • Commission – An administrator or designer pushes updates to SDG.

    • Discard – An administrator or designer discards an approved filter without pushing updates to SDG.

User Roles

SDG operator is responsible for creating, modifying, and deleting a policy or filter and publishes it for approval of the designer. SDG operator can access the Service Management workspace and all options under it.

A user with the SDG designer role is responsible for review and approval of published policy or filter. Workflow for review and approval is part of another workspace called Service Deployment. As a user with the SDG designer role, you can access both Service Management’ and ‘Service Deployment workspaces.

SDG Administrator is responsible for commissioning of an approved policy or filter to managed SDGs. Workflow for commissioning will be part of another workspace called Service Deployment. An SDG designer can access both the Service Management and Service Deployment workspaces.

  • SDG Operator – An SDG operator is responsible for creating, modifying, and deleting a policy or filter and will publish it for approval of designer. An SDG operator can access the Service Management workspace and all options under it.

  • SDG Designer – An SDG designer is responsible for review and approval of a published policy or filter. The workflow for review and approval is part of another workspace called Service Deployment. An SDG designer can access both the Service Management and Service Deployment workspaces.

  • SDG Administrator – An SDG administrator is responsible for commission of approved policy or filter to managed SDGs. The workflow for commissioning is part of another workspace called Service Deployment. An SDG designer can access both the Service Management and Service Deployment workspaces.