5.2 Merging

All security policies, except for the Data Encryption and VPN Enforcement policies, support merging of settings from multiple policies to create the effective policy.

After ordering is complete for a policy type, ordered lists exist for each assigned location and for the “global” location. The Endpoint Security Agent then completes the following process to merge policies and generate the final effective policy for each location:

5.2.1 Apply Inheritance to the Location Ordered Lists

Security policies support inheritance, which is the passing of a setting from one policy to another policy of the same type. This allows settings from multiple policies to be merged into the single effective policy. Without inheritance, the effective policy would simply be the highest priority policy in the ordered list.

A policy setting is either single-valued, such as a Firewall policy’s Default Behavior field, or is multi-valued, such as a Firewall policy’s Port/Protocol Rules list. Single-valued settings can have assigned values, or they can inherit values from higher-level policies. Multi-valued settings can have their own values; in addition, they automatically inherit values from higher-level policies.

Consider the following example, where Policy A, B, and C are listed in order of precedence:

Policy

Setting 1

Setting 2

List 3

1

A

Inherit

Disable

Item 1, Item 2

2

B

Inherit

Inherit

Item 1, Item 4

3

C

Enable

Enable

Item 3, Item 5

 

Effective

Enable

Disable

Item 1, Item 2, Item 3, Item 4, Item 5

To determine the effective policy settings, the policies are evaluated and aggregated so that proper settings can be applied to the device. Higher priority settings take precedence over lower priority settings if there is a conflict.

For Setting 1 (a single-valued setting), Policy A inherits from Policy B, which inherits the Enable value from Policy C. Therefore, the effective value for Setting 1 is Enable.

For Setting 2 (a single-valued setting), Policy A is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.

For List 3 (a multi-valued setting), the values from all three policy lists are used. Values that are exact matches, such as Item 1, are included only one time. Therefore, the effective values for List 3 are Item 1, Item 2, Item 3, Item 4, and Item 5.

Policy setting inheritance can be blocked at any policy. When it is blocked, inheritance stops at that policy. Consider the following example:

Policy

Inheritance

Setting 1

Setting 2

List 3

1

D

Allowed

Inherit

Disable

Item 1, Item 2

2

E

Blocked

Enable

Disable

Item 1, Item 4

3

F

Allowed

Inherit

Enable

Item 3, Item 5

 

Effective

 

Enable

Disable

Item 1, Item 2, Item 4

Policy E blocks setting inheritance from any lower priority policies.

For Setting 1 (a single-valued setting), Policy D inherits from Policy E, which blocks inheritance from F. Therefore, the effective value for Setting 1 is Enable.

For Setting 2 (a single-valued setting), Policy D is set to Disable, so the remaining policies are ignored. Therefore, the effective value for Setting 2 is Disable.

For List 3 (a multi-valued setting), the values from Policy D and Policy E are used. The values from Policy F are not used because Policy D blocks the inheritance of those values. Therefore, the effective values for List 3 are Item 1, Item 2, and Item 4.

5.2.2 Merge the Location Effective Policies with the Global Effective Policy

At this point, inheritance has been applied to all of the location ordered lists, including the global ordered list. The result is an effective policy for each location and for the global location.

When you assign policies to locations, you have the option of enabling the Merge policy with assigned global policies setting. When it is enabled, this setting causes an effective location policy to inherit any “unset” values from the effective global policy. Consider the following example:

Setting

Location 1 Policy

Location 2 Policy

Location 3 Policy

Global Policy

Setting 1

Enable

Disable

Inherit

Disable

Setting 2

Inherit

Disable

Disable

Disable

Setting 3

Enable

Inherit

Enable

Enable

Any location policy setting whose value is Inherit receives the value from the global policy setting.

Setting 1 in the Location 3 policy is set to Inherit. Therefore, it receives the value (Disable) assigned to Setting 1 in the Global policy. The same is true for Setting 2 in the Location 1 policy and Setting 3 in the Location 2 policy.

5.2.3 Merge Location Effective Policies with Default Effective Policy

The Endpoint Security Agent has a default policy of every type. Generally, the setting values for the default policy cause no change to the device.

If, after inheritance has been applied to all of the assigned policies, a setting value in the effective policy is still set to Inherit, the default value is used. The final result is that every setting value is defined for the effective policy.