Hi,
I think a few issues need to be clarified:
1. Fail Safe mode is about what should happen when the App virtual appliance (not vShield Manager) has failed; whether it should fail open (all the VMs are reachable) or fail closed (VM's are not reachable). Your security policy should dictate which is the appropriate choice.
2. If the vShield Manager itself (not the App virtual appliance) goes down, the protection settings still work as normal on all the hosts where App is deployed. Your only problem when the Manager is down is that you won't be able to make changes to the system (ie, new firewall rules, including/excluding VM's, etc…).
3. The rule-base in App is hierarchical, with default rules being at the lowest level. You can either:
- Allow all traffic by default (ie, explicitly deny certain traffic and allow everything else)
- Deny all traffic by default (ie, explicitly allow certain traffic and deny everything else)
Both scenarios are dealing with traffic when the App appliance is UP. When the App appliance is DOWN, the rule-base is irrelevant (obviously) and you're relying on Fail Safe mode to determine what happens (point 1 above).
Hope this helps….