There are three options for IP security policy configuration for
a system:
- Use a common IP security configuration file that applies
to all stacks on the system, enforcing a consistent policy. In this
instance, a stack-specific IP security configuration file
is not necessary.
- Use a unique and separate stack-specific IP security configuration file
for each stack on the system. In this instance, a common IP security
configuration file is not necessary.
- Use both a common and a stack-specific IP security configuration file.
- The common IP security configuration file can be used
as a common repository for frequently used definitions, which can
be referenced by any stack-specific IP security configuration file.
- The stack-specific IP security configuration file can
contain unique statements that apply only to the stack for which it
is configured, and can reference statements that are defined in the common
IP security configuration file.
Although not an error, note that when using the last approach,
it is possible for duplicate statements to exist in the common
and the stack-specific IP security configuration files (for example,
two IpFilterRule statements with the same name). In this case, the
statement in the stack-specific IP security configuration file
is honored. Statements in the stack-specific IP security configuration file
always take precedence over the common IP security configuration file.