Filter
Top Products
Policy Concepts
EncrypTight User Guide 187
Minimizing Policy Size
Using EncrypTight with large, complex networks with multiple subnets protected by separate PEPs can
result in a large number of SAs on each PEP. The increased management traffic for renewing keys and
refreshing policy lifetimes could adversely affect the performance of EncrypTight. If you do not require
policy filtering based on subnets located with each PEP, use the minimize policy size feature to avoid
this. This feature is not applicable to Layer 2 Ethernet policies.
The Minimize Policy Size feature includes two options, depending on the type of policy. You can select
Ignore source IP address for any IP policy. For mesh policies, you can select either Ignore source IP
address or Apply to all traffic.
When you enable the Ignore source IP address option:
● The source network address for outbound traffic is replaced with an all networks wildcard address
(0.0.0.0/0)
● The destination network address for inbound traffic is replaced with an all networks wildcard address
(0.0.0.0/0)
This results in a significant reduction in policy size and keys in each PEP associated with the policy.
The Apply to all traffic option is useful for large mesh networks when you know that each PEP only
sends traffic to other PEPs using the same policy. Selecting this option applies the policy to all traffic,
inbound and outbound, regardless of the source and destination addresses or ports. If the policy specifies
encryption, all PEPs associated with the policy use the same key set, reducing the number of policy
entries and SAs on each PEP.
NOTE
This option is only available for IPSec policies.