FLUSH and PURGE considerations
The FLUSH/NOFLUSH and PURGE/NOPURGE parameters can be configured for each policy type supported by the Policy Agent.
These parameters determine whether or not policies are deleted from the associated TCP/IP stack under certain conditions, as detailed in Table 2.
Table 1 shows where you configure these parameters for each type of local or remote policy.
| Policy type | Statement where configured |
|---|---|
| Local Routing and ZERT policies | Not configurable (always support FLUSH and NOPURGE) |
| Local IDS policies | IDSConfig or TcpImage/PEPInstance |
| Local IPSec policies | Not supported |
| Local QoS policies | TcpImage/PEPInstance |
| Local AT-TLS policies | TTLSConfig or TcpImage/PEPInstance |
| Remote policies (all types except IPSec, Routing, and ZERT ) | PolicyServer or TcpImage/PEPInstance |
Results:
- IPSec policies do not use these parameters. Instead, IPSec functions as though the FLUSH and NOPURGE parameters are always specified, with the exception that the FLUSH parameter has no effect when the MODIFY REFRESH command is entered.
- Parameters specified on the TcpImage/PEPInstance statement are overridden by parameters configured on other statements.
Table 2 shows the results of using the FLUSH and PURGE parameters.
| Event | IPSec policies | Routing and ZERT policies | Other policies |
|---|---|---|---|
| Policy Agent start (FLUSH defined) | All policies are replaced in the TCP/IP stack. | All policies are deleted and reloaded into the TCP/IP stack. | All policies are deleted and reloaded into the TCP/IP stack. |
| Policy Agent start (NOFLUSH defined) | All policies are replaced in the TCP/IP stack. | All policies are deleted and reloaded into the TCP/IP stack. | All changed policies are updated in the TCP/IP stack. Deleted policies are not removed from the TCP/IP stack. |
| Policy Agent termination (PURGE defined) | TCP/IP stack policies are unchanged. | TCP/IP stack policies are unchanged. | All policies are removed from the TCP/IP stack. |
| Policy Agent termination (NOPURGE defined) | TCP/IP stack policies are unchanged. | TCP/IP stack policies are unchanged. | TCP/IP stack policies are unchanged. Deleted policies are not removed from the TCP/IP stack. |
| Policy Agent update (FLUSH defined) | If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack. | Any changed policies are replaced in the TCP/IP stack, and then all deleted policies are removed from the TCP/IP stack. | Any changed policies are replaced in the TCP/IP stack, and then all deleted policies are removed from the TCP/IP stack. |
| Policy Agent update (NOFLUSH defined) | If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack. | Any changed policies are replaced in the TCP/IP stack, and then all deleted policies are removed from the TCP/IP stack. | Any changed policies are replaced in the TCP/IP stack. Deleted policies are not removed from the TCP/IP stack. |
| Policy Agent refresh (FLUSH defined) | If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack. | If there are any changed or deleted policies, then all policies are deleted and reloaded into the TCP/IP stack. | If there are any changed or deleted policies, then all policies are deleted and reloaded into the TCP/IP stack. |
| Policy Agent refresh (NOFLUSH defined) | If there are any changed or deleted policies, then all policies are replaced in the TCP/IP stack. | If there are any changed or deleted policies, then all policies are deleted and reloaded into the TCP/IP stack. | Any changed policies are replaced in the TCP/IP stack. Deleted policies are not removed from the TCP/IP stack. |
Rules:
- The TCP/IP stack results do not apply for policy client policies configured on the policy server.
- The PURGE and NOPURGE parameters have no effect on policy client policies configured on the policy server.
Result: When a TCP/IP stack is recycled,
the result is the same as if the FLUSH parameter was specified; all
active policies are reinstalled into the stack.