test

SunScreen 3.2 Administration Guide

Editing Policies

To Edit a Policy

You can edit any policy to which you have WRITE access except the currently active policy. This policy is a READ ONLY copy of a policy that lets you view the rules currently in use by the firewall. The actual editable version of the currently active policy is available through the list of policies on this page.

When you installed SunScreen, a policy named Initial was created, containing enough information for you to start administering the Screen. You can work with this policy or create another policy and set it to be the currently active policy.

Note -

Logging in as a user with an access level of ALL or WRITE puts you into a session. If you make changes to a policy, you cannot log out of the session until you either save or cancel those changes.

    Select a policy in the Policies List page.

    Graphic
Note -

The View button appears if the policy you chose can only be read in read-only mode (for example, the Currently Active policy in the first row, and the policy versions in the Version column). See the SunScreen 3.2 Administrator's Overview for more information on policy types.

To Add a New Policy

  1. Select a policy in the Policies List page.

    Graphic

  2. Click the Add New button.

    The Add New Policy dialog box appears.

    Graphic

  3. Type the name of the new policy in the Add New Policy dialog box.

  4. Click the OK button.

To Copy a Policy

  1. Select a policy in the Policies List page.

    Graphic

  2. Select the policy you want to copy.

  3. Click the Copy button.

    The Copy dialog box appears.

    Graphic

  4. Type the name of the new policy in the Copy dialog box.

  5. Click the OK button.

To Rename a Policy

  1. Select a policy in the Policies List page.

    Graphic

  2. Select the policy you want to rename.

  3. Click the Rename button.

    The Rename dialog box appears.

    Graphic

  4. Type the name of the new policy in the Rename dialog box.

  5. Click the OK button.

To Delete a Policy

  1. Select a policy in the Policies List page.

    Graphic

  2. Select the policy you want to delete.

  3. Click the Delete button.

    The Delete Policy dialog box appears.

    Graphic

  4. Click the Yes button in the Delete Policy dialog box to delete the policy.

To Verify a Policy

To verify that any changes you have made are stable:

    Select a policy in the Policies List page.

    Graphic

    Select the Policy you want to verify.

    Click the Edit button.

    The Policy page for the selected policy appears.

    Graphic

    Click the Verify Policy button above the Common Objects area.

    Clicking the Verify Policy button verifies that all the rules are valid and should compile successfully when you activate this policy. The rules in the chosen policy file are checked for errors, but the policy is not activated. Verifying a policy allows you to debug it without activating it.

You can activate the policy when verification has succeeded.

To Back Up All Policies

Backing up your policies is always good practice, especially if anything happens to the disk. You also should back up the original policy after you install SunScreen. This makes it easier to restore earlier policies, if necessary. Backing up from the administration GUI backs up only the current versions of all the policies.

Caution - Caution -

The backup medium contains copies of the local identities (the encryption keys and certificates) and must be stored securely and disposed of properly to avoid compromising your security.

Note -

This procedure requires a browser that can be used to access Local files. You can use the HotJava Browser, Netscape, or Internet Explorer with Sun's Java Plug-In and the identitydb.obj file (copied to the correct location). See "To Install the Java Plug-In on the Screen" for informationon how to install the plug-in.

  1. Select a policy in the Policies List page.

    Graphic

  2. Click the Backup All button to back up the current version of the policies.

    The Select a backup file dialog box appears.

    Graphic

  3. Type the path name of the directory in the Filter field and type the name of the backup file in the Selection field.

To Restore All Policies
Note -

This procedure requires a browser that can be used to access Local files. You can use the HotJava Browser, Netscape, or Internet Explorer with Sun's Java Plug-In and the identitydb.obj file (copied to the correct location). See "To Install the Java Plug-In on the Screen" for information on installing the plug-in.

The Restore operation causes all current policy information, including common objects, to be overwritten by the new information from the backup file.

  1. Select a policy in the Policies List page.

    Graphic

  2. Click the Restore All button.

    The Select a backup file dialog box appears.

    Graphic

  3. Type the path name of the directory in the Filter field and the file name for the backup file in the Selection field.

  4. Click the OK button.

Caution - Caution -

Before you change the administration address (such as le0, qe0, or hme0), the administration certificate, the local certificate, or the administration-group certificate, be sure that you understand how each one affects your ability to connect to the SunScreen. If you change these items, you risk losing connectivity from the Administration Station to the Screen. Reestablishing connectivity is difficult and requires that you log into the Screen directly or use an Administration Station that is still working. It also requires an exchange of encryption information.