Skip to main content

Assigning local policies

You can assign local policies in two ways:

  • Device-based assignment, meaning that you manually select the target endpoints to which you assign the policies. These policies are also known as device policies.

  • Rule-based assignment, meaning that a policy is assigned to a managed endpoint if the network settings on the endpoint match the given conditions of an existing assignment rule.

Note

You can assign only policies created by you. To assign a policy created by another user, you have to clone it first in the Policies page.

Assigning device policies

In GravityZone, you can assign policies in multiple ways:

  • Assign the policy directly to the target.

  • Assign the policy of the parent group through inheritance.

  • Force policy inheritance to the target.

By default, each endpoint or group of endpoints inherits the policy of the parent group. If you change the policy of the parent group, all descendants will be affected, excepting those with an enforced policy.

To assign a device policy:

  1. Log in to GravityZone Control Center.

  2. Go to the Network page from the left side menu.

  3. Choose the network view from the views selector.

  4. Select the target endpoints. You can select one or several endpoints or groups of endpoints.

    For inheritance purposes, you cannot change the policy of the root group from default. For example, Computer and Virtual Machines will always have the Default policy assigned.

  5. Click the policy.png Assign Policy button at the upper side of the table, or select the Assign Policy option from the contextual menu.

    The Policy Assignment page is displayed:

    network-policy_assignment.png
  6. Check the table with target endpoints. For each endpoint, you can view:

    • The assigned policy.

    • The parent group from which the target inherits the policy, if the case.

      If the group is forcing the policy, you can click its name to view the Policy Assignment page with this group as target.

    • The enforcement status.

      This status shows whether the target is forcing policy inheritance or is forced to inherit the policy:

      • Forcing: The policy is forced to child groups.

      • Is forced: The policy is inherited and forced from above.

      • N/A: No forced policy.

      Notice the targets with enforced policy (Is forced status). Their policies cannot be replaced. In such case, a warning message is displayed.

  7. In case of warning, click the Exclude these targets link to continue.

  8. Choose one of the available options to assign the policy:

    • Assign the following policy template - to appoint a specific policy directly to the target endpoints.

    • Inherit from above - to use the policy of the parent group.

  9. If you chose to assign a policy template:

    1. Select the policy from the drop-down list.

    2. Select Force policy inheritance to child groups to achieve the following:

      • Assign the policy to all descendants of the target groups, with no exception.

      • Prevent changing it from elsewhere lower in the hierarchy.

      A new table displays recursively all affected endpoints and groups of endpoints, together with the policies that will be replaced.

  10. Click Finish to save and apply changes. Otherwise, click Back or Cancel to return to the previous page.

When finished, policies are pushed to target endpoints immediately. Settings should be applied on endpoints in less than a minute (provided they are online). If an endpoint is not online, settings will be applied as soon as it gets back online.

To check if the policy was successfully assigned:

  1. In the Network page from the left side menu, click the name of the endpoint you are interested in. Control Center will display the Information window.

  2. Check the Policy section to view the status of the current policy. It must show Applied

Another method to check the assignment status is from the policy details:

  1. Go to the Policies page from the left side menu.

  2. Find the policy you assigned.

    In the Active/Applied/Pending column, you can view the number of endpoints for each of the three statuses.

  3. Click any number to view the list of endpoints with the respective status in the Network page.

Assigning rule-based policies

The Policies > Assignment Rules page enables you to define user, location and tag-aware policies. For example, you can apply more restrictive firewall rules when users connect to the internet from outside the company or you can enable Web Access Control for users that are not part of the administrators group or to endpoints defined by certain tags.

assignment-rules-page-onpremises.PNG

This is what you need to know about assignment rules:

  • Endpoints can have only one active policy at a time.

  • A policy applied through a rule will overwrite the device policy set on the endpoint.

  • If none of the assignment rules is applicable, then the device policy is applied.

  • Rules are ordered and processed by priority, with 1 being the highest one. You may have several rules for the same target.

    In such case, the first rule that matches the active connection settings on the target endpoint will apply.

    For example, if an endpoint matches a tag rule with priority 5, a user rule with priority 4 and a location rule with priority 3, the location rule will apply.

  • In the Assignment rules grid, you can search and sort rules by priority, name, type, description, policy, and status. The status of a rule can be:

    • Running - the rule is active and applicable to the endpoints.

    • No target - the rule is not applied to the endpoints because it is missing targets. This situation may occur when the folders in the Network inventory selected as targets have been deleted after creating the rule.

Important

Make sure you consider sensitive settings such as exclusions, communication or proxy details when creating rules.

As best practice, it is recommended to use policy inheritance to keep the critical settings from the device policy also in the policy used by assignment rules.

To create a new rule:

  1. Log in to GravityZone Control Center.

  2. Go to the Assignment Rules page from the left side menu.

  3. Click the add.pngAdd button at the upper side of the table.

  4. Select the rule type:

  5. Configure the rule settings as needed.

  6. Click Save to save the changes and apply the rule to target endpoints of the policy.

To change the settings of an existing rule:

  1. In the Assignment Rules page, find the rule you are looking for and click its name to edit it.

  2. Configure the rule settings as needed.

  3. Click Save to apply the changes and close the window. To leave the window without saving changes, click Cancel.

If you no longer want to use a rule, select the rule and click the delete.png Delete button at the upper side of the table. Click Yes to confirm your action.

To make sure the latest information is being displayed, click the refresh.png Refresh button at the upper side of the table.

Configuring location rules

A location is a network segment identified by one or several network settings, such as a specific gateway, a specific DNS used to resolve URLs, or a subset of IPs. For example, you can define locations such as the company's LAN, the servers farm or a department.

In the rule configuration window, follow these steps:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority of the rule. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the assignment rule.

  4. Define the locations to which the rule applies.

    1. Select the type of the network settings from the menu at the upper side of the Locations table. These are the available types:

      Type

      Value

      IP/IP address range

      Specific IP addresses in a network or sub-networks. For sub-networks use the CIDR format.

      For example: 10.10.0.12 or 10.10.0.0/16

      Gateway address

      IP address of the gateway

      For example: 10.0.2.2

      WINS server address

      IP address of the WINS server

      Important

      This option does not apply on Linux and macOS systems.

      DNS server address

      IP address of the DNS server

      You can add up to 30 IP addresses and maximum 480 characters.

      DHCP connection DNS suffix

      DNS name without the hostname for a specific DHCP connection

      For example: hq.company.biz

      Endpoint can resolve host

      Hostname

      For example: fileserv.company.biz

      Endpoint can connect to GravityZone

      Yes/No

      Important

      This option does not apply on macOS systems.

      Network type

      Wireless/Ethernet

      When choosing Wireless, you can also add the network SSID.

      Important

      This option does not apply on Linux systems.

      Hostname

      Hostname

      For example: cmp.bitdefender.com

      Important

      You can also use wildcards. Asterisk (*) substitutes for zero or more characters and the question mark (?) substitutes exactly one character. Examples:

      *.bitdefender.com

      cmp.bitdefend??.com

      Important

      This option does not apply on macOS systems.

    2. Enter the value for the selected type. Where applicable, you can enter multiple values in the dedicated field, separated by semicolon (;) and without additional spaces. For example, when you enter 10.10.0.0/16;192.168.0.0/24, the rule applies to target endpoints with the IPs matching ANY of these sub-networks.

      Warning

      You can use only one network setting type per location rule. For example, if you added a location using the IP/network prefix, you cannot use this setting again in the same rule.

    3. Click the add_inline.pngAdd button at the right side of the table.

    Important

    The network settings on endpoints must match ALL provided locations for the rule to apply to them.

    For example, to identify the office LAN network you can enter the gateway, network type and DNS; furthermore, if you add a sub-network, you identify a department within the company's LAN.

    policies-location-rule.png

    Click the Value field to edit the existing criteria and then press Enter to save changes.

    To remove a location, select it and click the delete_inline.pngDelete button.

  5. You may want to exclude certain locations from the rule. To create an exclusion, define the locations to be excepted from the rule:

    1. Select the Exclusions check box under the Locations table.

    2. Select the type of the network settings from the menu at the upper side of the Exclusions table. You have the same options as in the Locations table.

    3. Enter the value for the selected type. You can enter multiple values in the dedicated field, separated by semicolon (;) and without additional spaces.

    4. Click the add_inline.pngAdd button at the right side of the table.

    The network settings on endpoints must match ALL conditions provided in the Exclusions table for the exclusion to apply.

    Click the Value field to edit the existing criteria and then press Enter to save changes.

    To remove an exclusion, click the delete_inline.pngDelete button at the right side of the table.

    Important

    Exclusions also work as negative conditions and you can create rules based only on them. In such a rule, the Locations table has no entries.

    Examples:

    • When you enter 10.10.0.0/16;192.168.0.0/24 as an exclusion, the rule applies to all target endpoints with IPs that do NOT match ANY of these sub-networks.

    • When you specify Wireless for the network type and the string cmp1.bitdefender.com;cmp2.bitdefender.com;cmp3.bitdefender.com for the hostnames as exclusions, the rule applies to target endpoints that do NOT connect wirelessly AND whose names do NOT match ANY of these entries.

  6. In the Targets section, select the view (Computers and Virtual Machines or Cloud Workloads) and the folders in the network where you want to apply the policy rule. You can view your selection in the table on the right, under Selected Groups.

    Note

    If you do not specify any targets in any view (Computers and Virtual Machines or Cloud Workloads), GravityZone automatically selects all available entities when you save the rule.

  7. Click Save to save the assignment rule and apply it.

    Once created, the location rule automatically applies to all target endpoints that you manage according to your user rights.

Configuring user rules

Important

  • You can create user rules only if an Active Directory integration is available.

  • You can define user rules only for Active Directory users and groups. Rules based on Active Directory groups are not supported on Linux systems.

In the rule configuration window, follow these steps:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the assignment rule.

  4. In the Targets section, select the users and security groups you want the policy rule to apply to. You can view your selection in the table on the right.

  5. Click Save.

    Once created, the user-aware rule applies to managed target endpoints at user login.

Configuring endpoint tag rules

To assign policies to new and existing endpoints in a fast and efficient way, you can use rules based on tags.

For example, you have created the automatic tag Linux to apply to endpoints running this operating system. You also created a rule based on this tag that assigns a security policy with certain settings. As a result, whenever GravityZone detects a new Linux machine in the network, the endpoint automatically receives the tag Linux and the corresponding policy.

A tag rule must contain at least one tag. A tag rule can contain both custom and automatic tags.

To configure an endpoint tag rule, follow these steps:

  1. Enter a suggestive name and description.

  2. Set the priority of the rule.

    The rules are ordered by priority, with the first rule having the highest priority. For example, priority 1 is higher than priority 2. The same priority cannot be set twice.

  3. Select the policy for which you create the tag rule.

  4. In the Tag grid, add at least one tag.

  5. Click Save to create the rule.

    gz_cl_op_pt_create_tag_rule_en.png

For details on creating and assigning tags to endpoints, refer to Using endpoint tags.

Configuring integration tag rules

Important

You can create integration tag rules only if an Amazon EC2 or Microsoft Azure integration is available.

You can use the tags defined in the cloud infrastructures to assign a specific GravityZone policy to your virtual machines hosted in the cloud. All virtual machines having the tags specified in the tag rule will be applied with the policy set by the rule.

Note

According to the cloud infrastructure, you can define the virtual machine tags as follows:

  • For Amazon EC2: in the Tags tab of the EC2 instance.

  • For Microsoft Azure: in the Overview section of the virtual machine.

A tag rule can contain one or several tags. To create a tag rule:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority of the rule. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the tag rule.

  4. In the Tag table, add one or several tags.

    A tag consists in a case-sensitive key-value pair. Make sure to enter the tags as defined in your cloud infrastructure. Only valid key-value pairs will be taken into account.

    To add a tag:

    1. In the Tag Key field, enter the key name.

    2. In the Tag Value field, enter the value name.

    3. Click the add_inline.png Add button at the right side of the table.

For more information about tagging EC2 managed instances, refer to the official Amazon EC2 documentation.