Introduction
Promotion of Sentry Configs and policies across environments can pose risk where specific values, objects, or parameters do not align. For instance, certificates used in a lower environment are not typically used in Production. Therefore, it is critical to ensure these settings are not overwritten. Accordingly, Forum Systems has added a feature to better manage differences between environments.
New Feature
The Global Variable Feature allows Sentry Administrators the ability to define a variable in places where differences are likely to exist. For example, certificates, passwords, remote servers, and key pairs are all settings where the Global Variable can be used. Think of the Global Variable set up as a refence point to an environment specific file hosted within Sentry. This is a key concept and it is crucial to understand the relationship between the Global Variables and the actual Config. Please NOTE: The Global Variables are not bound to the FSG configs when exported or imported. That means when you export your policies as FSGs, Global Variables will not be included! As a result, the Admin will need to ensure each environment has its own set of Global Variables properly configured. This allows promotion of configurations and policies across environments with less potential for overwriting the values where Global Variables are used.
To begin using Global Variables, navigate to the Resource Policies under the Resources menu in the left nav bar.
Click Add to create a new Global Variable.
Next you will be able to select the different types of variables. You can choose from a standard variable (think remote servers and hosts and paths), passwords, key pairs, and certificates. Read further down in the article for more details and Global Variable naming conventions that may be helpful.
Once you have named the variable and defined the value, click Add to create the Global Variable.
When the new variable has been created, you can use the copy feature in order to quickly apply the variable.
After copying the variable, you can add it to the policy or object where you would like to apply it. See below for an example. You will notice the Global Variable name bracketed inside percent tags.
****NOTE: When applying Global Variables to remote destinations (eg: http_r_google_host) and keypairs (eg: keypair_client_sslterm), it is necessary to cycle the remote and/or listener policy using those new variables. You can accomplish that by disabling and enabling the policy on the Network page. The SSL policy using the keypair GV will also need to be saved after the Global Variable has been updated****
Import Options
In Version 9.1.222, there are new Import Options. When Importing Global Variables into your Sentry Instance, you have three options to select from to ensure your existing Global Variables are not negatively impacted. The options are in the drop down menu and are as follows:
- Fail- This option will fail the entire import in the event any Global Variable in the properties file already exists. This is the safest option to use to prevent any conflicts or unintended updates from occurring. If a failure occurs, no Variable will be imported at all, regardless of how many Variables are in the properties file.
- Ignore- This option will ignore any Global Variables that already exist, but import any that are new. This option is less safe, but it only imports new Variables.
- Overwrite- This option will import all Variables and overwrite any values that are different. This option is obviously the least safe option and should only be used when the known differences are expected and intended.
Best Practices
Here are some high-level Global Variable tips
- Use them anywhere you may have different values like defining a remote destination, path or a keypair.
- For the naming of the remote host Global Variables, it is a good idea to correlate the name to the remote destination. In other words, if you were naming your remote host variable for google.com, you would want to use https_r_google_host or something to that effect.
- You will want to keep the Global Variable names the same across all environments. Although the actual variable value can and likely will be different from one environment to the next, keeping the Global Variable names the same is ideal.
- Keep in mind, you can export Global Variables three ways, as FSG, as properties files (editable in notepad) and as yaml files.
- The FSG export is the full set of Global Variables - even if you select individuals, if you do an FSG export it is the full set. Therefore, when you do an FSG import of Global Variables the full set is being imported (overwriting all existing - not adding to them).
- The properties and yaml export/import options allow for selectively exporting/importing Global Variables - and when a Password type variable is included a password needs to be specified on export - this password encrypts the sensitive variable values.
- Global Variables will be included with the full fsx file export. At import, there is an option to exclude the Global Variables.
- Some of the naming conventions we typically use are below.
0 Comments