| Home Prev |  InControl 3.19.01 Administration Guide
|
Next |
|---|
An issue that can complicate administration of multiple firewalls is that different cOS Core versions offer different feature sets and, in some cases, different ways of configuring a cOS Core feature. In addition, cOS Core configuration object properties may get renamed in a new version. The InControl Domain Feature Levels can provide a solution to these issues.
The Domain Feature Levels option allows a cOS Core version level to be assigned to any InControl Domain (the default is the most recent cOS Core version). The domain then presents a view of its contained configuration objects that corresponds to the assigned version.
If different feature levels are used between domains, or between domains and the firewalls they contain, InControl will perform object conversion when needed.
In a scenario where there are various firewalls with different versions of cOS Core the best practice for using this feature is as follows:
It is recommended to keep the global domain feature level at the lowest version of all available firewalls, as configuration versions are converted between the global domain and subdomains.
Create subdomains under the global domain and assign the major cOS Core revision number for all the firewalls grouped under that subdomain.
Note that it is not recommended that a subdomain with firewalls inside it is changed to a lower version (downgraded). This can cause issues because the conversion is "best-effort". There is no guarantee that everything can be downgraded because there may be new features in newer versions.
Add the relevant firewalls to the related subdomain. This can be done by dragging and dropping in the interface.
For example, in a mixed environment with devices running 11.04 and 11.10, the global domain needs to be set to 11.04 and a subdomain should be set to 11.10 in order to contain the 11.10 devices. The global domain would not support any new 11.10 features. Those features would be configured within the 11.04 subdomain.
The recommended setup is that a subdomain and all its contained firewalls have matching feature levels and versions. When upgrading, it is recommended to first upgrade the actual device, then the device's feature level in InControl and lastly the feature level of the parent subdomain.
For forward planning, if firewalls with newer versions of cOS Core are to be added to InControl, it is advised to create a new subdomain for containing those firewalls. In this example, with a global domain feature level of 11.03, to add a firewall with cOS Core version 11.10, perform the following:
Create a new subdomain with a feature level of 11.10.
Add any firewalls with 11.10 to this new subdomain.
The result will be that the top-level global domain configuration will apply features from 11.03, then convert them across to the new 11.10 subdomain to agree with its feature level, along with all firewalls inside that subdomain.
A typical series of steps for implementing feature levels would be the following:
Right-click the Global Domain and select the Feature Level option.
A dialog appears that allows the assignment of the desired feature level to the Global Domain. The recommended level is highlighted. All the available versions are shown but the versions that are below the recommended level are grayed out, although they can still be selected. Check-in the global domain after assigning the level.
Create a new InControl Domain as a child of the Global Domain. In this example, it will be called My_Feature_Domain.
Right-click this new child Domain and select the Feature Level option.
A dialog appears that allows the assignment of the desired feature level to this new child Domain. Check-in the domain after assigning the level.
Add or move firewalls to be children of the new Domain. The screenshot below shows a typical situation where the version number of the global domain, the subdomain and an added firewall are all different.
When the configuration of any of the child firewalls is opened, the administrator will only see the features and configuration organization for the cOS Core version assigned to the parent domain.
Supported cOS Core Versions
The Domain Feature Level setting cannot be used with the following cOS Core versions:cOS Core versions before 10.11.05.
10.2x cOS Core versions. For example, 10.20.01 and 10.22.00.
Some Objects Need to be Checked-In Manually
Some combinations of parent domain/subdomain versions and subdomain/device versions require special handling. This is because the conversion can require that existing objects are replaced with new objects.If the combinations shown below are involved in a conversion then a manual check-out and check-in must be performed on the domain or firewall if the parent domain has been upgraded or any configuration objects have been added, changed or deleted.
| 11.03 and older | 11.04 and newer | Reason |
|---|---|---|
| Web Content Filtering | Web Profile | URL Filter Profile and Web Content Filtering Profile have been combined into one Web Profile for a simpler way of configuring IP Policies. Existing URL Filter Profiles and Web Content Filtering Profiles will be converted into the new type on upgrade. |
| URL Filtering |
