IC doesn't push 200 policies to Firewall. It pushes one policy ( From/To Zone Combination). Then IC sends session information for each user logged in to firewall. For each session , this policy gets evaluated to take decision on access.

Thanks for reply. Actually suppose for one role A, policy is deny to to the resources on IC and for another role B, policy is permit to the resources. Now IC pushes both the polices. My question is that:

1- When IC will push both policies? When users of both role connects to the IC? OR just when you created on IC.

2- When users of both roles comes to firewall then how firewall knows the correct policy for these users if policy pushed by IC to firewall does not take care of soruce IP?

Kindly help me in understanding this.

Thanks

Basically resources are restricted by roles.

When a user goes for resources behind firewall, firewall will go to Infranet Auth which you have configured in Firewall earlier, infranet auth (ic-4000) will check that user against roles assigned to it and push information regarding that role to Firewall and an Auth table will be maintained for that user with his role on Firewall..

Regards,

Raja