Deploy a policy model

Deploy the security policy model to apply zones, conduits, and devices configurations.
Prerequisites
Confirm that all devices are operational and have network access. See Validate a policy model.
  1. To deploy a policy model
  2. From the
    FactoryTalk Policy Manager
     toolbar, select
    Deploy
     and then select either:
    • CIP Security
       to deploy policy model configuration to
      CIP Security
       system components.
    • OPC UA Security
       to deploy policy model configuration to
      OPC UA
       system components.
  3. In
    Scope of Deployment
    , select either:
    • Changed device communication ports only
      . Differential deployment. Use to deploy the security configuration to devices that have been changed since the last deployment. This type of deployment includes any changes made in the model configuration or changes made to the physical device, such as when a device is replaced for maintenance.
    • All device communication ports in the model
      . Full deployment.
    The list of devices identifies the devices that will be configured when this model is deployed.
    TIP: Scroll down or select
    More details
     to review the list. The list may contain devices that you have not modified directly. This can happen modification of one device impacted a related device. If the list contains unexpected devices, select
    CANCEL
     and then change the model as needed.
  4. (optional) To retain the devices marked to be deleted from the model in case of a communication failure, select
    Retain deleted devices and ports in policy model after failed deployments
    .
    TIP: If the
    Retain deleted devices and ports in policy model after failed deployments
     checkbox is cleared and a device cannot be removed from the security model, the device will not be visible in
    FactoryTalk Policy Manager
     and the device configuration will not be reset.
  5. Choose when to reset the communication channels for the items includes in the security policy model. Select either:
    • Reset existing connections
      . The communication port closes and reopens on the device during the deployment process. Similar to resetting the network card on a computer, the device stays functional but is disconnected from the network for a few moments. Using this option applies the new policy to the device at the same time that the policy is deployed.
    • (
      CIP
       only)
      Do not reset existing connections
      . The security policy settings will be deployed to the device but are not in effect. The communications ports must be reset before the security policy is used. This option is useful if there is a scheduled maintenance reset process in your environment that can be relied upon to perform this function. Connections with 1783 CIP Security® Proxy always reset during the policy model deployment.
      TIP: If you choose to reset the communication after deployment, the security policy may be applied to the devices at different times, depending on the device type, function and state of the control system.
  6. Select either:
    • Validate and deploy
      . To validate the connections between system components and then deploy the policy model.
    • Skip validation and deploy
      . To deploy the policy model.
    Results
     updates with the results of the deployment as it occurs.
    You can stop the deployment process at any point. If you stop the deployment process, the configured assets remain configured. Stopping the deployment process does not roll back the changes that have occurred.
    IMPORTANT: If you stop the deployment process during deploy, this can leave the system in an unexpected state. Communications between devices could be permanently interrupted requiring module reset.
  • Once the deployment is complete, a summary report lists the successes, failures, and errors encountered during the process.
    TIP: Select
    Save
     to export the results to a file for archival purposes.
    The possible deployment results are:
    Configuration complete
    No issues identified.
    Configuration complete
    Warnings identified. See Deployment results.
    Configuration not complete
    Error identified. See Deployment results.
  • If changes are made the policy after it is deployed, an asterisk
    (*)
     appears next to the device, indicating that the configured policy has not been deployed to that device.
  • Once the model is deployed and communications reset on the device, the device will only accept communications from other devices in the same zone or using conduits configured to enable communications with other security zones or devices. The device can still send communication to other devices.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal