Automatic Policy Deployment
Automatic Policy Deployment leverages the ODVA CIP Security pull model that enables EtherNet/IP endpoints (for example, field devices) to initiate the deployment of policies defined on a system server.
During the onboarding process, the devices are discovered, identified, and provisioned with identities and temporary policies. The onboarded devices can be then merged into the policy model and have their policies deployed automatically.
Overview
By using Automatic Policy Deployment, you can improve the system:
- Operational readiness level
- Uptime
- Security (by provisioning security policies to field devices as soon as they power up)
Automatic Policy Deployment supports the following devices:
- ControlLogix5580 controllers (version 34)
- GuardLogix5580 controllers (version 34)
- CompactLogix5380 controllers (version 34)
- Compact GuardLogix5380 controllers (version 34)
- EtherNet/IP communication modules (1756-EN4TR, version 4.001)
Automatic Policy Deployment requires a system server with
FactoryTalk Policy Manager
installed and FactoryTalk System Services
running.
TIP:
After the
FactoryTalk Policy Manager
installation, FactoryTalk
System Services start automatically with Windows and run independently from FactoryTalk Policy Manager
. FactoryTalk System Services
operate in the background even if the FactoryTalk Policy Manager
application is closed.Operation
Automatic Policy Deployment discovers the devices in the network that you can add to the policy model.
IMPORTANT:
Automatic Policy Deployment can onboard and merge only a single EtherNet/IP interface of a device. This applies to
CompactLogix
5380 controllers operating in the Dual IP mode.
IMPORTANT:
Automatic Policy Deployment uses the Enrollment over Secure Transport (EST) service. If your machine has multiple network interfaces, the EST service uses a random network interface by default. To specify the network interface for the EST service, see Configure Automatic Policy Deployment for multiple network interfaces.
Depending on your requirements, you can set Automatic Policy Deployment to:
- Automatically or manually deploy the configuration of discovered devices that match the devices in the policy model.
- Allow or restrict the devices in the Onboarding Area from connecting with other devices in the network.TIP: The Automatic Policy Deployment process is independent from the manual policy deployment process. The manual policy model deployment process can interrupt the Automatic Policy Deployment process. Once the policy model is deployed, Automatic Policy Deployment continues adding and merging the discovered devices.
For auditing and troubleshooting purposes, Automatic Policy Deployment indicates changes to the policy model with:
- The Results pane updates.
- Toast notifications for onboarding devices and merged devices.
- The following icons throughout theFactoryTalk Policy Managerinterface:Notification iconsIconEvent
Devices newly added to the Onboarding Area.Automatically merged and deployed devices.
Automatically merged devices.
Provide Feedback