204 votes
ACC Configuration Push
When you have multiple ASGs and you want to change content filter rules or packet filter rules (for example), you should be able to perform this change centrally and push this down to your ASGs.
Status:
completed
This feature has been implemented in Astaro Command Center V2.2. Enjoy!
edojack
Black/White list push is essential for us...
Thomas Beer
just wait for ACC 3.0 ;-)
rsmfazil
Yes, central config is a must have
bram kortleven
This could be extended with a blacklist/whitelist or even a complete config push of SMTP and Web proxy profiles.
A box running smtp proxy then could have a 'centrally coordinated' config for domain X next to a locally created config for domain Y.
The endpoint mailserver should though be set locally somehow...
This way, distribution, or backup MX configurations will be made much easier, especially the BL/WL configs... I know you can export/import these, but that is still a lot of work...
Frank
the change of a proxy profile should be synced to all requiered ASG.
Poul Petersen
Primarily? The ability to define objects globally would be really nice. RIght now, if you have 50 ASGs and the IP address of one site changes, you've got 50 UIs to visit.
Ideally, ACC would provide; global object defintions, automatic site-2-site mesh configurations, global "NAT templates", global policy definitions, etc. This would make the management of a large installation of ASGs feasible.
Bob Alfson
What needs to be added to the Astaro Command Center?
Ahargrove
Nick - I agree, this would have been a great feature to have these last few years that we've had to manage multiple ASGs. The HTTP white/black lists shouldn't require any "postitioning", but the packet filter rules would. I whipped up a very rough picture as to how this could look:
http://i40.tinypic.com/2utp4de.jpg
This is the page you would see AFTER creating the rule on a previous screen (which would have a list of all your managed appliances and a checkbox next to each hostname th... more
Nick - I agree, this would have been a great feature to have these last few years that we've had to manage multiple ASGs. The HTTP white/black lists shouldn't require any "postitioning", but the packet filter rules would. I whipped up a very rough picture as to how this could look:
http://i40.tinypic.com/2utp4de.jpg
This is the page you would see AFTER creating the rule on a previous screen (which would have a list of all your managed appliances and a checkbox next to each hostname that you wanted to submit the rule to, so you could selectively choose which appliances get the rule). On this screen, you could change the ordering of the rule on different appliances before actually committing the change, and also this would allow you to quickly compare the rule configuration visually between all your appliances.
Nick Holden
Ahargrove - I understand what you're saying - but in our instance this feature would be very useful as each ASG tends to be protecting the local subnet - hence Packet Filter rules and http filter exceptions could be pushed centrally. Currently to allow a http web filter exception takes around an hour to update manually all of our ASGs (and we haven't rolled them out to all of our offices yet).
Michael Smith
I would be happy with just being able to push block/allow of host definitions to all of my devices.
Ahargrove
Thinking about this a little more... what if after saying "I want to open port X to whatever on all these ASGs", it comes back with a grid showing where the rule would be dropped on each ASG, and allow you to move it up or down in the rule order before you commit the change? Let me know if a mock-up would help clarify what I'm trying to say here...
Ahargrove
Since the rules are processed in a certain order (top-down), how would you guarantee that you don't inadvertently open a hole in your filter rules on one or more appliances when you push out a change? That is, unless they all share EXACTLY the same configuration, but there is always going to be "that one site" that just HAS to be different... :)