5.2.1 Apply Inheritance to the Location Ordered Lists

Security policies support inheritance, which is the passing of a setting from one policy to another policy of the same type. This allows settings from multiple policies to be merged into the single effective policy. Without inheritance, the effective policy would simply be the highest priority policy in the ordered list.

A policy setting is either single-valued, such as a Firewall policy’s Default Behavior field, or is multi-valued, such as a Firewall policy’s Port/Protocol Rules list. Single-valued settings can have assigned values, or they can inherit values from higher-level policies. Multi-valued settings can have their own values; in addition, they automatically inherit values from higher-level policies.

Consider the following example, where Policy A, B, and C are listed in order of precedence:

To determine the effective policy settings, the policies are evaluated from top (highest priority) to bottom (lowest priority). The first non-inherited setting to be found becomes the effective policy setting.

For Setting 1 (a single-valued setting), Policy A inherits from Policy B, which inherits the Enable value from Policy C. Therefore, the effective value for Setting 1 is Enable.

For Setting 2 (a single-valued setting), Policy A is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.

For List 3 (a multi-valued setting), the values from all three policy lists are used. Values that are exact matches, such as Item 1, are included only one time. Therefore, the effective values for List 3 are Item 1, Item 2, Item 3, Item 4, and Item 5.

Policy setting inheritance can be blocked at any policy. When it is blocked, inheritance stops at that policy. Consider the following example:

Policy E blocks setting inheritance from any lower priority policies.

For Setting 1 (a single-valued setting), Policy D inherits from Policy E, which blocks inheritance from F. Therefore, the effective value for Setting 1 is Enable.

For Setting 2 (a single-valued setting), Policy D is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.

For List 3 (a multi-valued setting), the values from Policy D and Policy E are used. The values from Policy F are not used because Policy D blocks the inheritance of those values. Therefore, the effective values for List 3 are Item 1, Item 2, and Item 4.

5.2.2 Merge the Location Effective Policies with the Global Effective Policy

At this point, inheritance has been applied to all of the location ordered lists, including the global ordered list. The result is an effective policy for each location and for the global location.

When you assign policies to locations, you have the option of enabling the Merge policy with assigned global policies setting. When it is enabled, this setting causes an effective location policy to inherit any “unset” values from the effective global policy. Consider the following example:

Any location policy setting whose value is Inherit receives the value from the global policy setting.

Setting 1 in the Location 3 policy is set to Inherit. Therefore, it receives the value (Disable) assigned to Setting 1 in the Global policy. The same is true for Setting 2 in the Location 1 policy and Setting 3 in the Location 2 policy.

5.2.3 Merge Location Effective Policies with Default Effective Policy

The Endpoint Security Agent has a default policy of every type. Generally, the setting values for the default policy cause no change to the device.

If, after inheritance has been applied to all of the assigned policies, a setting value in the effective policy is still set to Inherit, the default value is used. The final result is that every setting value is defined for the effective policy.