Management Best Practices

Follow the below listed recommendations to manage firewalls:

Making Configuration Changes:

• Make all the configuration changes through NSM/Firewall Management only once the firewalls are onboarded. This helps avoid conflicts and ensures configuration consistency.

  If changes are made directly through the firewall user interface, the firewall’s configuration status will change to Out Of Sync in NSM/Firewall Management.

  

• If the configuration changes over the firewall user interface is unavoidable:

  • Manually sync the configuration changes according to Synchronizing Firewall Configuration with Firewall Management

  • Auto sync the configuration changes by enabling the Auto Synchronize Local Changes option on the Manager View | Home > Tenants page for the required Tenants.

    NSM/Firewall Management performs auto-sync only when there are no pending configuration changes for the firewalls. Once the pending changes are deployed, NSM/Firewall Management resumes auto-sync for those firewalls.

Taking Configuration Backups:

Create a configuration backup schedule for the firewalls to ensure the latest configuration is available in NSM/Firewall Management. For more information, refer to Scheduling Backups of a Device Configuration.

Using the Device Groups:

The device groups are used to apply common configurations across multiple firewalls by assigning a configuration template to them. To avoid applying unnecessary configurations to the firewalls, keep the following points in mind:

• In Group View firewall configurations are read-only.

  The group configurations are inherited from the configuration templates.

• Applying a template to a group applies the configuration to that group and all its nested groups. For example, applying a template to the root firewall group also applies it to all nested custom groups within it. Ensure that firewalls are added to the correct group. Otherwise, unnecessary configurations will be applied to the firewalls. For more information about applying templates, refer to Applying Template to Device Groups or Devices.

• When a new firewall is assigned to a device group, the default behavior is that the firewall inherits the configuration from that group and its parent groups. Disable Auto Commit & Deploy Templates if you want to review the configuration before it is pushed to the firewall. For more information, refer to Creating Device Groups and Editing Device Groups.

Delegating the Configuration Changes:

When the configuration changes in NSM/Firewall Management are delegated to other users, it is recommended to control the allowed configuration changes by:

• Assigning the users with appropriate roles on the Manager View | Home > CSC Users > Roles and Permissions page.

  For more information about:

  • User roles, refer to Users.
  • Assigning or editing the user roles, refer to Roles and Permissions.

• Defining the configuration editing access levels for assigned roles on the Manager View | Home > CSC User > Users > Access tab.

  Select the tenants and firewalls that the users are allowed to make changes. For more information, refer to Editing Users.

Configuring an Approval Process:

Create Approval Groups to configure an approval process that requires approval from designated users for any configuration changes on the Manager View | Home > Config Management > Approval Groups > Approval Groups tab.

For more information about creating a new approval group and adding approvers to it, refer to Adding a New Approval Group.