A Centralized Management Group is comprised of a Primary Screen and a number of Secondary Screens. The Primary Screen, where all configuration objects reside, manages itself, as well as the centralized management group's Secondary Screens. The Primary Screen's function is to "push" Policy configurations to the other Secondary Screens in the CMG. This capability lets you effectively manage many Screens from one location.
To configure a Centralized Management Group, you have to exchange certificate information between the CMG Primary and Secondary Screens. You then add these certificates to the Screen objects, along with the Admin IP address information, and encryption algorithms for the respective Screen.
On the CMG Primary Screen, you need to specify each interface present on any Secondary Screen. These interface definitions should appear with the Screen object selected to make them Screen specific.
Finally, you must add packet filtering rules to both the Primary and Secondary Screens to allow the Primary screen to "push" its policy to the Secondary Screens.
Many configurations require cluster members to pass through a firewall in order to communicate with the Primary Screen. In these configurations, any firewall being traversed must contain packet filtering rules to allow certain traffic from the Primary Screen to pass through its interfaces to the Secondary Screen. These rules need to include the following services: