This article explains how to edit and publish policies that use revisions, and also how multiple admins can edit a policy in parallel.
Many Cato features are managed through a policy that consists of a list of granularly defined rules that determine how the policy functions. Some policies support parallel editing by multiple admins and saving private, unpublished revisions to continue to work on in a later session. This article describes how to work with the following policies that support revisions and concurrent admins:
-
Internet Firewall
-
WAN Firewall (Gradual rollout)
You can edit a policy and save the changes in your own private unpublished revision. This revision is saved even if you log out of the Cato Management Application, and you can continue editing the policy in your next session. Once all the changes have been made, the policy can be published to your account (the published revision).
Different admins can edit the published revision in parallel however no other admin can access your unpublished revision. Rules saved in an unpublished revision are locked for editing by other admin until the revision is published or discarded.
Until changes are published, they have no impact on the account policy and remain available for you to edit. For example:
-
Admin A edits and saves rule 1 to their unpublished revision
-
Admin B edits and publishes rule 2 (rule 1 is locked)
-
The changes made by admin A to rule 1 are not published until admin A publishes them
For a detailed explanation of how to configure rules for each policy, see the documentation for that policy.
An unpublished revision is a version of a policy that has been saved, but not published.
When you save changes to an unpublished revision, the following indicators appear on the page:
-
For the admin editing the revision, the icon indicates the rules that are currently being edited, and the changes are part of an unpublished revision
-
The icon indicates rules that are locked for editing by a different admin
-
When editing a rule is defined with a rule order (Position) is relative to a different rule, then both rules are locked for other admins. For example, if you assign a rule position to be before rule 5, then rules 4 and rule 5 are locked for other admins. For more about locked rules, see Overriding the Lock for a Rule.
-
-
The label Unpublished Revision appears above the rulebase
-
The number of rules with changes appears on the Publish button
After saving changes to rules, you can Discard or Publish your unpublished revision. This is what happens for each of these actions:
-
Discard - All changes are discarded and the unpublished revision is no longer accessible
Note
Note: The Discard action can't be undone.
-
Publish - All changes in the unpublished revision are applied to the account policy and appear in the published revision, as well as in the unpublished revisions of other admins
Note
Note: The Publish action can't be undone.
Additionally, after you Discard or Publish a revision:
-
Rules are no longer locked for other admins
-
The page shows the published revision of the policy
When you save changes to rules in an unpublished revision, those rules are locked to prevent editing by other admins. If you are required to edit a locked rule, you can hover over the lock to see which admin locked the rule, and contact them so they can discard or publish their revision and unlock the rule. In cases where the admin can't be contacted, it's possible to override the lock and then edit the rule. When you override the lock, you discard the other admin's entire unpublished revision, including changes for all rules, and those changes can't be retrieved. The other admin sees the published revision the next time they log in.
Note
Note: You can only override a lock on a rule from your unpublished revision, not from the published revision. This means at least one other change has to be saved to your revision before you can override the lock on a rule.
This section describes workflows for editing a policy in the following use cases:
-
When the policy isn't being edited by any other admin and no rules are locked
-
When another admin is concurrently editing rules and they are locked
When no other admin saved changes to their private revision, you can edit rules with no restrictions, save the changes to your private revision, and then publish them to the account policy (the published revision).
The below example is from the Internet Firewall policy.
To edit a policy with no locked rules:
-
From the navigation menu, navigate to the policy page.
The policy page opens to your existing unpublished revision, or to the newest published revision.
-
Edit a rule.
-
Click Apply. The new rule is added to the rulebase.
-
Click Save then Publish.
-
In the Publish Revision confirmation window, click Publish. Your revision is applied to the account policy.
When you are required to edit a policy including making changes to locked rules, you can override locks to edit the rules, save the changes to your private revision, and then publish them to the account policy.
To edit a policy including locked rules:
-
From the navigation menu, navigate to the policy page.
The policy page opens to your existing unpublished revision, or to the newest published revision.
-
Create or edit rules. For more information, see the documentation for the policy.
-
For a locked rule see below Overriding the Lock for a Rule.
-
-
Click Apply. The new rule is added to the rulebase.
-
Click Save.
The changes are saved to your unpublished revision.
-
Click Publish.
-
In the Publish Revision confirmation window, click Publish. Your revision is applied to the account policy.
Hovering over a lock rule, displays the name of the admin that has locked the rule and the length of time the rule has been locked. Before overriding a locked rule, we recommend coordinating your changes with with the admin who has locked the rule.
You can only override a lock on a rule from your unpublished revision, not from the published revision. This means at least one other change has to be saved to your revision before you can override the lock on a rule. Overriding the lock for a rule discards the other admin's entire unpublished revision, and can't be undone.
Note: Overriding the lock for a rule discards the other admin's entire unpublished revision, and can't be undone.
To override the lock for a rule:
-
Hover the mouse over the in the row of the rule you want to edit. A window is shown with information about the rule's edit history.
-
Click Override Lock.
Note: Overriding the lock for a rule discards the other admin's entire unpublished revision, and can't be undone.
-
In the confirmation window, click Override and Discard. The other admin's unpublished revision is discarded and the rule is unlocked for editing.
Publish your unpublished revision, and apply the changes to the policy.
To publish an unpublished revision:
-
From the navigation menu, navigate to the policy page.
The policy page opens to your existing unpublished revision.
-
Click Publish.
-
In the Publish Revision confirmation window, click Publish. Your revision is applied to the account policy.
You can use exceptions in the Internet firewall rulebase to ignore a specific rule and continue with the lower priority rules. Remember to make sure that a lower priority rule doesn't match and block the traffic. The final implicit ANY ANY Allow rule allows all traffic. For example, if rule #3 blocks access to the Hiring category, you can create an exception that does not block access for the Human Resources (HR) department.
To add an exception to a firewall rule:
-
From the navigation menu, navigate to the policy page.
The policy page opens to your existing unpublished revision.
-
Click Discard.
-
In the Discard Revision confirmation window, click Discard. Your revision is discarded and the page shows the published account policy.
0 comments
Article is closed for comments.