All security policies, except for the Data Encryption and VPN Enforcement policies, support merging of settings from multiple policies to create the effective policy.
After ordering is complete for a policy type, ordered lists exist for each assigned location and for the “global” location. The Endpoint Security Agent then completes the following process to merge policies and generate the final effective policy for each location:
Security policies support inheritance, which is the passing of a setting from one policy to another policy of the same type. This allows settings from multiple policies to be merged into the single effective policy. Without inheritance, the effective policy would simply be the highest priority policy in the ordered list.
A policy setting is either single-valued, such as a Firewall policy’s Default Behavior field, or is multi-valued, such as a Firewall policy’s Port/Protocol Rules list. Single-valued settings can have assigned values, or they can inherit values from higher-level policies. Multi-valued settings can have their own values; in addition, they automatically inherit values from higher-level policies.
Consider the following example, where Policy A, B, and C are listed in order of precedence:
Policy |
Setting 1 |
Setting 2 |
List 3 |
|
---|---|---|---|---|
1 |
A |
Inherit |
Disable |
Item 1, Item 2 |
2 |
B |
Inherit |
Inherit |
Item 1, Item 4 |
3 |
C |
Enable |
Enable |
Item 3, Item 5 |
|
Effective |
Enable |
Disable |
Item 1, Item 2, Item 3, Item 4, Item 5 |
To determine the effective policy settings, the policies are evaluated and aggregated so that proper settings can be applied to the device. Higher priority settings take precedence over lower priority settings if there is a conflict.
For Setting 1 (a single-valued setting), Policy A inherits from Policy B, which inherits the Enable value from Policy C. Therefore, the effective value for Setting 1 is Enable.
For Setting 2 (a single-valued setting), Policy A is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.
For List 3 (a multi-valued setting), the values from all three policy lists are used. Values that are exact matches, such as Item 1, are included only one time. Therefore, the effective values for List 3 are Item 1, Item 2, Item 3, Item 4, and Item 5.
Policy setting inheritance can be blocked at any policy. When it is blocked, inheritance stops at that policy. Consider the following example:
Policy |
Inheritance |
Setting 1 |
Setting 2 |
List 3 |
|
---|---|---|---|---|---|
1 |
D |
Allowed |
Inherit |
Disable |
Item 1, Item 2 |
2 |
E |
Blocked |
Enable |
Disable |
Item 1, Item 4 |
3 |
F |
Allowed |
Inherit |
Enable |
Item 3, Item 5 |
|
Effective |
|
Enable |
Disable |
Item 1, Item 2, Item 4 |
Policy E blocks setting inheritance from any lower priority policies.
For Setting 1 (a single-valued setting), Policy D inherits from Policy E, which blocks inheritance from F. Therefore, the effective value for Setting 1 is Enable.
For Setting 2 (a single-valued setting), Policy D is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.
For List 3 (a multi-valued setting), the values from Policy D and Policy E are used. The values from Policy F are not used because Policy D blocks the inheritance of those values. Therefore, the effective values for List 3 are Item 1, Item 2, and Item 4.
At this point, inheritance has been applied to all of the location ordered lists, including the global ordered list. The result is an effective policy for each location and for the global location.
When you assign policies to locations, you have the option of enabling the Merge policy with assigned global policies setting. When it is enabled, this setting causes an effective location policy to inherit any “unset” values from the effective global policy. Consider the following example:
Setting |
Location 1 Policy |
Location 2 Policy |
Location 3 Policy |
Global Policy |
---|---|---|---|---|
Setting 1 |
Enable |
Disable |
Inherit |
Disable |
Setting 2 |
Inherit |
Disable |
Disable |
Disable |
Setting 3 |
Enable |
Inherit |
Enable |
Enable |
Any location policy setting whose value is Inherit receives the value from the global policy setting.
Setting 1 in the Location 3 policy is set to Inherit. Therefore, it receives the value (Disable) assigned to Setting 1 in the Global policy. The same is true for Setting 2 in the Location 1 policy and Setting 3 in the Location 2 policy.
The Endpoint Security Agent has a default policy of every type. Generally, the setting values for the default policy cause no change to the device.
If, after inheritance has been applied to all of the assigned policies, a setting value in the effective policy is still set to Inherit, the default value is used. The final result is that every setting value is defined for the effective policy.