On This Page
Provisioning and Commit Policy Changes
Overview
In TOS, provisioning occurs when you use Designer to save recommended policy changes directly to a single device. The device can be either a firewall device, security group, or management device. When a policy change is provisioned to a management device, the change does not get pushed to the child firewall devices managed by that management device. For firewall devices or security groups, the changes are live and enforced as soon as they are provisioned. For Management devices, the modified policies remain only on the management device itself. The updated policies are not live and enforced to all the child firewall devices until all changes are explicitly committed (referred to as pushed or installed by some device vendors).
In TOS, committing changes occurs when you push the current set of security policies from the management device to all child firewall devices managed by that management device. From within Designer you can provision and commit policy changes immediately by clicking Commit. Additionally, provisioning can occur automatically by configuring the scheduled change window in SecureTrack. Committing changes in SecureChange is only relevant for management devices that support the SecureChange Provisioning+Committing feature.
What Can I Do Here?
Provisioning Policy Changes from SecureChange?
To provision changes to a single device, whether a firewall device, security group, or management device, you run Designer and click the update-related button. The specific name for the provisioning button differs per device. Designer gives a series of precise recommendations of how to update firewall rules and policies. SecureChange provisioning takes these recommendations and provisions the policy updates to the specified device.
Committing Policy Changes from SecureChange?
To commit policy changes from a management device to all the child firewall devices managed by that management device, you run Designer and click the Commit button. Only when changes have been provisioned to a management device, can you commit these policy changes to the all the child devices. The Commit button is enabled after a successful provision has been performed.
All changes saved to the management device, including changes not initiated by the ticket currently being handled, will be committed to the child devices.
After the commit process is completed, the following outcomes are available:
-
- All policy changes were successfully committed to associated child devices. Click to view a summary report. -
- Policies were not successfully committed to associated child devices. Click to view a summary report, which lists all failure errors and warnings. -
- Commit did not start and was not initiated. Report not available. Contact Tufin Support for additional information.
Depending on the number of changes required, the commit process can take between several minutes and up to a few hours in the case of very large networks. The default timeout setting is six hours, after which time the commit process will stop and need to be rerun. If you need to change the default setting, contact Tufin Support.
We recommend that during the commit process you remain in the current browser. If you close or navigate away from the current browser, the commit process will continue, however you will not be able to access the results.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague
