Description
Generates, loads, or removes the Initial Policy on a Security Gateway, or a Cluster Member.
Until the Security Gateway or cluster administrator installs the user-defined Security Policy on the Security Gateway or Cluster Members for the first time, security is enforced by an Initial Policy. The Initial Policy operates by adding "implied rules" to the Default Filter. These rules forbid most of the communication, but allow the communication needed for the installation of the Security Policy.
The Initial Policy also protects a Security Gateway or Cluster Members in these cases:
The Initial Policy is enforced until a policy is installed, and is never loaded again. In subsequent boots, the regular policy is loaded immediately after the Default Filter.
Notes:
cpstat -f policy fw
command shows the name of this policy as InitialPolicy
.$FWDIR/state/__tmp/FW1/
$FWDIR/state/local/FW1/
$FWDIR/state/<
Name of Cluster Object>/FW1/
Also refer to these commands:
Syntax
[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-u | -U] |
[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-g | -G] |
Parameters
Parameter |
Description |
---|---|
No Parameters |
The command runs with the last used parameter. |
|
Performs these steps:
|
|
Performs these steps:
You can use this parameter, if there is no Initial Policy generated. If Initial Policy was already generated, make sure that after removing the Initial Policy, you delete the This parameter generates the Initial Policy and ensures that Security Gateway loads it the next time it fetches a policy (at The If you run one of these pairs of the commands, the original policy is still loaded:
|
Example
[Expert@GW:0]# cd $FWDIR/state/local/FW1/ [Expert@GW:0]#
[Expert@GW:0]# pwd /opt/CPsuite-R80.30/fw1/state/local/FW1 [Expert@GW:0]#
[Expert@GW:0]# ls -l total 7744 -rw-r--r-- 1 admin root 20166 Jun 13 16:34 install_policy_report.txt -rw-r--r-- 1 admin root 55 Jun 13 16:34 install_policy_report_timing.txt -rw-r--r-- 1 admin root 37355 Jun 13 16:34 local.Sandbox-persistence.xml -rw-r--r-- 1 admin root 3 Jun 13 16:34 local.ad_query_profiles -rw-r--r-- 1 admin root 309 Jun 13 16:34 local.adlog.networks.exclude -rw-r--r-- 1 admin root 148 Jun 13 16:34 local.adlog.users.exclude -rw-r--r-- 1 admin root 3 Jun 13 16:34 local.allowed_clients_objects -rw-r--r-- 1 admin root 8236 Jun 13 16:34 local.appfw_misc -rw-r--r-- 1 admin root 4706 Jun 13 16:34 local.cluster_member -rw-r--r-- 1 admin root 7889 Jun 13 16:34 local.connectra_global_properties -rw-r--r-- 1 admin root 514 Jun 13 16:34 local.connectra_policy -rw-r--r-- 1 admin root 603 Jun 13 16:34 local.cpmi_file -rw-r--r-- 1 admin root 8 Jun 13 16:34 local.ctlver -rw-r--r-- 1 admin root 680 Jun 13 16:34 local.current_recovery.profile -rw-r--r-- 1 admin root 1054 Jun 13 16:34 local.data_awareness_settings -rw-r--r-- 1 admin root 31202 Jun 13 16:34 local.data_files -rw-r--r-- 1 admin root 33104 Jun 13 16:34 local.db -rw-r--r-- 1 admin root 26763 Jun 13 16:34 local.dcerpc_service -rw-r--r-- 1 admin root 0 Jun 13 16:34 local.device_settings_transactions -rw-r--r-- 1 admin root 4 Jun 13 16:34 local.domain_objects_for_web_applications -rw-r--r-- 1 admin root 3409 Jun 13 16:34 local.dynobj -rw-r--r-- 1 admin root 6876 Jun 13 16:34 local.embedded_applications -rw-r--r-- 1 admin root 966 Jun 13 16:34 local.eps_notify.html -rw-r--r-- 1 admin root 1667 Jun 13 16:34 local.eps_notify.mail -rw-r--r-- 1 admin root 717137 Jun 13 16:34 local.fc -rw-r--r-- 1 admin root 784436 Jun 13 16:34 local.fc6 -rw-r--r-- 1 admin root 737 Jun 13 16:34 local.fileslist -rw-r--r-- 1 admin root 216819 Jun 13 16:34 local.ft -rw-r--r-- 1 admin root 216651 Jun 13 16:34 local.ft6 -rw-r--r-- 1 admin root 4789 Jun 13 16:34 local.fwrl.conf -rw-r--r-- 1 admin root 3025 Jun 13 16:34 local.gateway_cluster -rw-r--r-- 1 admin root 706 Jun 13 16:34 local.gateway_general_properties -rw-r--r-- 1 admin root 617 Jun 13 16:34 local.global_preferences -rw-r--r-- 1 admin root 8207 Jun 13 16:34 local.icmp_service -rw-r--r-- 1 admin root 16003 Jun 13 16:34 local.icmpv6_service -rw-r--r-- 1 admin root 211440 Jun 13 16:34 local.ics_configuration -rw-r--r-- 1 admin root 633 Jun 13 16:34 local.identity_awareness_custom_settings -rw-r--r-- 1 admin root 3 Jun 13 16:34 local.identity_roles -rw-r--r-- 1 admin root 11 Jun 13 16:34 local.ifs -rw-r--r-- 1 admin root 31618 Jun 13 16:34 local.implied_rules -rw-r--r-- 1 admin root 833 Jun 13 16:34 local.inspect.lf -rw-r--r-- 1 admin root 596 Jun 13 16:34 local.intranet_community -rw-r--r-- 1 admin root 2 Jun 13 16:34 local.ips_enhance -rw-r--r-- 1 admin root 2 Jun 13 16:34 local.ips_granular_contexts -rw-r--r-- 1 admin root 8123 Jun 13 16:34 local.languages -rw-r--r-- 1 admin root 10286 Jun 13 16:34 local.lg -rw-r--r-- 1 admin root 10286 Jun 13 16:34 local.lg6 -rw-r--r-- 1 admin root 39 Jun 13 16:34 local.logo_directory_content.conf -rw-r--r-- 1 admin root 41030 Jun 13 16:34 local.magic -rw-r--r-- 1 admin root 878700 Jun 13 16:34 local.magic.mgc -rw-r--r-- 1 admin root 3 Jun 13 16:34 local.mail_servers -rw-r--r-- 1 admin root 35 Jun 13 16:34 local.mgmt_dhcp_data -rw-r--r-- 1 admin root 10958 Jun 13 16:34 local.mobile_profiles -rw-r--r-- 1 admin root 1389 Jun 13 16:34 local.mobile_profiles_rulebase -rw-r--r-- 1 admin root 101 Jun 13 16:34 local.mv_tag -rw-r--r-- 1 admin root 2230 Jun 13 16:34 local.nac_agents -rw-r--r-- 1 admin root 2267 Jun 13 16:34 local.network_applications -rw-r--r-- 1 admin root 558756 Jun 13 16:34 local.objects -rw-r--r-- 1 admin root 2951 Jun 13 16:34 local.other_service -rw-r--r-- 1 admin root 630 Jun 13 16:34 local.policy -rw-r--r-- 1 admin root 42336 Jun 13 16:34 local.policy.xml -rw-r--r-- 1 admin root 5304 Jun 13 16:34 local.products_updates -rw-r--r-- 1 admin root 5749 Jun 13 16:34 local.rad_services -rw-r--r-- 1 admin root 11419 Jun 13 16:34 local.realm_objects -rw-r--r-- 1 admin root 20590 Jun 13 16:34 local.realms -rw-r--r-- 1 admin root 5767 Jun 13 16:34 local.remote_access_clients_objects -rw-r--r-- 1 admin root 11389 Jun 13 16:34 local.rpc_service -rw-r--r-- 1 admin root 7280 Jun 13 16:34 local.rule -rw-r--r-- 1 admin root 3 Jun 13 16:34 local.rule_adtr -rw-r--r-- 1 admin root 924 Jun 13 16:34 local.rulebase -rw-r--r-- 1 admin root 6329 Jun 13 16:34 local.rulebase_tracks -rw-r--r-- 1 admin root 0 Jun 13 16:34 local.sdopts.rec -rw-r--r-- 1 admin root 0 Jun 13 16:34 local.securid -rw-r--r-- 1 admin root 1643 Jun 13 16:34 local.service_group -rw-r--r-- 1 admin root 362239 Jun 13 16:34 local.set -rw-r--r-- 1 admin root 140 Jun 13 16:34 local.sic_name -rw-r--r-- 1 admin root 590 Jun 13 16:34 local.sr_community -rw-r--r-- 1 admin root 3 Jun 13 16:34 local.ssl_certificates -rw-r--r-- 1 admin root 949165 Jun 13 16:34 local.ssl_inspection -rw-r--r-- 1 admin root 4 Jun 13 16:34 local.sso_groups -rw-r--r-- 1 admin root 1004 Jun 13 16:34 local.str -rw-r--r-- 1 admin root 1004 Jun 13 16:34 local.str6 -rw-r--r-- 1 admin root 152350 Jun 13 16:34 local.tcp_protocol -rw-r--r-- 1 admin root 304987 Jun 13 16:34 local.tcp_service -rw-r--r-- 1 admin root 48337 Jun 13 16:34 local.thresholds.conf -rw-r--r-- 1 admin root 887 Jun 13 16:34 local.track -rw-r--r-- 1 admin root 36327 Jun 13 16:34 local.udp_protocol -rw-r--r-- 1 admin root 125679 Jun 13 16:34 local.udp_service -rw-r--r-- 1 admin root 1452032 Jun 13 16:34 local.upDB.sqlite -rw-r--r-- 1 admin root 80512 Jun 13 16:34 local.user_check_interactions.C.converted -rw-r--r-- 1 admin root 0 Jun 13 16:34 local.userdef -rw-r--r-- 1 admin root 6240 Jun 13 16:34 local.vs_cluster_member -rw-r--r-- 1 admin root 4547 Jun 13 16:34 local.vs_cluster_netobj -rw-r--r-- 1 admin root 3118 Jun 13 16:34 local.vsx_cluster_member -rw-r--r-- 1 admin root 2278 Jun 13 16:34 local.vsx_cluster_netobj -rw-r--r-- 1 admin root 5172 Jun 13 16:34 local.{939922F7-DF98-4988-B776-B70B9B8340F3} -rw-r--r-- 1 admin root 10328 Jun 13 16:34 local.{B9D14722-3936-4B33-814B-F87EA4062BEB} -rw-r----- 1 admin root 14743 Jun 13 16:34 manifest.C -rw-r--r-- 1 admin root 7381 Jun 13 16:34 policy.info -rw-r--r-- 1 admin root 2736 Jun 13 16:34 policy.map -rw-r--r-- 1 admin root 51 Jun 13 16:34 sig.map [Expert@GW:0]#
[Expert@GW:0]# comp_init_policy -u erasing local state.. [Expert@GW:0]#
[Expert@GW:0]# ls -l total 0 [Expert@GW:0]#
[Expert@GW:0]# comp_init_policy -g initial_module: Compiled OK. initial_module: Compiled OK. [Expert@GW:0]#
[Expert@GW:0]# ls -l total 56 -rw-rw---- 1 admin root 8 Jul 19 19:51 local.ctlver -rw-rw---- 1 admin root 4514 Jul 19 19:51 local.fc -rw-rw---- 1 admin root 4721 Jul 19 19:51 local.fc6 -rw-rw---- 1 admin root 235 Jul 19 19:51 local.ft -rw-rw---- 1 admin root 317 Jul 19 19:51 local.ft6 -rw-rw---- 1 admin root 135 Jul 19 19:51 local.fwrl.conf -rw-rw---- 1 admin root 14 Jul 19 19:51 local.ifs -rw-rw---- 1 admin root 833 Jul 19 19:51 local.inspect.lf -rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg -rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg6 -rw-rw---- 1 admin root 0 Jul 19 19:51 local.magic -rw-rw---- 1 admin root 3 Jul 19 19:51 local.set -rw-rw---- 1 admin root 51 Jul 19 19:51 sig.map [Expert@GW:0]# |