FLUSH and PURGE considerations

The FLUSH/NOFLUSH and PURGE/NOPURGE parameters can be configured for each policy type supported by the Policy Agent.

Restriction: The import policy configuration files are parsed only once. The import policies are not installed in the TCP/IP stack, so the FLUSH and PURGE parameters do not apply to these files.

These parameters determine whether or not policies are deleted from the associated TCP/IP stack under certain conditions, as detailed in Table 2.

Table 1 shows where you configure these parameters for each type of local or remote policy.

Table 1. Where Policy Agent FLUSH and PURGE are configured
Policy type	Statement where configured
Local Routing policies	Not configurable (always support FLUSH and NOPURGE)
Local IDS policies	IDSConfig or TcpImage/PEPInstance
Local IPSec policies	Not supported
Local QoS policies	TcpImage/PEPInstance
Local AT-TLS policies	TTLSConfig or TcpImage/PEPInstance
Remote policies (all types except IPSec and Routing)	PolicyServer or TcpImage/PEPInstance
Import policies	Not supported

Results:

IPSec policies do not use these parameters. Instead, IPSec functions as though the FLUSH and NOPURGE parameters are always specified, with the exception that the FLUSH parameter has no effect when the MODIFY REFRESH command is entered.
Parameters specified on the TcpImage/PEPInstance statement are overridden by parameters configured on other statements.

Table 2 shows the results of using the FLUSH and PURGE parameters.

Table 2. How Policy Agent FLUSH and PURGE are used
Event	IPSec policies	Routing policies	Other policies
Policy Agent start (FLUSH defined)	All policies are replaced in the TCP/IP stack.	All policies are deleted and reloaded into the TCP/IP stack.	All policies are deleted and reloaded into the TCP/IP stack.
Policy Agent start (NOFLUSH defined)	All policies are replaced in the TCP/IP stack.	All policies are deleted and reloaded into the TCP/IP stack.	All changed policies are updated in the TCP/IP stack. Deleted policies are not removed from the TCP/IP stack.
Policy Agent termination (PURGE defined)	TCP/IP stack policies are unchanged.	TCP/IP stack policies are unchanged.	All policies are removed from the TCP/IP stack.
Policy Agent termination (NOPURGE defined)	TCP/IP stack policies are unchanged.	TCP/IP stack policies are unchanged.	TCP/IP stack policies are unchanged. Deleted policies are not removed from the TCP/IP stack.
Policy Agent update (FLUSH defined)	If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack.	Any changed policies are replaced in the TCP/IP stack, and then all deleted policies are removed from the TCP/IP stack.	Any changed policies are replaced in the TCP/IP stack, and then all deleted policies are removed from the TCP/IP stack.
Policy Agent update (NOFLUSH defined)	If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack.	Any changed policies are replaced in the TCP/IP stack, and then all deleted policies are removed from the TCP/IP stack.	Any changed policies are replaced in the TCP/IP stack. Deleted policies are not removed from the TCP/IP stack.
Policy Agent refresh (FLUSH defined)	If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack.	If there are any changed or deleted policies, then all policies are deleted and reloaded into the TCP/IP stack.	If there are any changed or deleted policies, then all policies are deleted and reloaded into the TCP/IP stack.
Policy Agent refresh (NOFLUSH defined)	If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack.	If there are any changed or deleted policies, then all policies are deleted and reloaded into the TCP/IP stack.	Any changed policies are replaced in the TCP/IP stack. Deleted policies are not removed from the TCP/IP stack.

Rules:

The TCP/IP stack results do not apply for policy client or import requester policies configured on the policy server.
The PURGE and NOPURGE parameters have no effect on policy client or import requester policies configured on the policy server.

Result: When a TCP/IP stack is recycled, the result is the same as if the FLUSH parameter was specified; all active policies are reinstalled into the stack.