Switching between local and remote policies

If you dynamically switch from local policies to remote policies by adding the PolicyServer statement or a new PolicyType parameter within that statement, the FLUSH and PURGE parameters that are specified on the PolicyServer statement (or that are configured by default from the TcpImage statement) take effect, if the parameters are supported by the policy type.

Likewise, if you dynamically switch from remote policies to local policies by removing the PolicyServer statement or a PolicyType parameter from within that statement, the FLUSH and PURGE parameters that are specified on the xxxConfig statement (or that are configured by default from the TcpImage statement) take effect, if the parameters are supported by the policy type.

When the NOFLUSH parameter is used due to one of these dynamic switches, the result is that both the local and remote policies exist in the configuration; existing policies are not deleted when NOFLUSH is in effect, as shown in Table 2.

The following examples show how switching between local and remote policies works:

Switching from local IDS to remote IDS policies:
1. The TcpImage statement is configured with the FLUSH parameter.
2. The IDSConfig statement is not configured with the FLUSH or NOFLUSH parameters, so the TcpImage FLUSH value is used.
3. The local IDS policies are read and installed.
4. The PolicyServer statement is added with a PolicyType parameter for IDS that specifies the NOFLUSH value.
5. The remote IDS policies are retrieved and installed.
6. Because the NOFLUSH parameter is in effect (from the PolicyServer statement), the local IDS policies are not deleted; both the local and remote IDS policies exist.
Switching from remote AT-TLS to local AT-TLS policies:
1. The TcpImage statement is configured with the NOFLUSH parameter.
2. The TTLSConfig statement is configured with the FLUSH parameter.
3. The PolicyServer statement is configured with a PolicyType parameter for AT-TLS that specifies the FLUSH value.
4. The remote AT-TLS policies are retrieved and installed.
5. The PolicyType parameter for AT-TLS is removed from the PolicyServer statement.
6. The local IDS policies are read and installed.
7. Because the FLUSH parameter is in effect (from the TTLSConfig statement), the remote AT-TLS policies are deleted; only the local policies exist.

Result: Because the IPSec and Routing policy types always use the FLUSH value, the local and remote policies never exist at the same time.