ON PREMISES SOLUTIONS

Assigning policies

Endpoints are initially assigned with the default policy. Once you have defined the necessary policies in the Policies page, you can assign them to endpoints.

Policy assignment process is bound to the various environments that GravityZone integrates with. For certain integrations, such as VMware NSX, policies are accessible outside GravityZone Control Center. They are also referred to external policies.

Assign policies

You can assign local policies in two ways:

  • Device-based assignment, meaning that you manually select the target endpoints to which you assign the policies. These policies are also known as device policies.

  • Rule-based assignment, meaning that a policy is assigned to a managed endpoint if the network settings on the endpoint match the given conditions of an existing assignment rule.

Note

  • You can assign only policies created by you. To assign a policy created by another user, you have to clone it first in the Policies page.

  • On virtual machines protected by HVI alone, you can assign only device policies. When Bitdefender Endpoint Security Tools is also installed on them, you can assign rule-based policies too, the security agent managing policy activation.

    Note

    The HVI module may be available for your GravityZone solution with a separate license key.

Assigning device policies

In GravityZone, you can assign policies in multiple ways:

  • Assign the policy directly to the target.

  • Assign the policy of the parent group through inheritance.

  • Force policy inheritance to the target.

By default, each endpoint or group of endpoints inherits the policy of the parent group. If you change the policy of the parent group, all descendants will be affected, excepting those with an enforced policy.

To assign a device policy:

  1. Go to the Network page.

  2. Choose the network view from the views selector.

  3. Select the target endpoints. You can select one or several endpoints or groups of endpoints.

    For inheritance purposes, you cannot change the policy of the root group from default. For example, Computer and Virtual Machines will always have the Default policy assigned.

  4. Click the policy.png Assign Policy button at the upper side of the table, or select the Assign Policy option from the contextual menu.

    The Policy Assignment page is displayed:

    network-policy_assignment.png
  5. Check the table with target endpoints. For each endpoint, you can view:

    • The assigned policy.

    • The parent group from which the target inherits the policy, if the case.

      If the group is enforcing the policy, you can click its name to view the Policy Assignment page with this group as target.

    • The enforcement status.

      This status shows whether the target is forcing policy inheritance or is forced to inherit the policy.

      Notice the targets with enforced policy (Is forced status). Their policies cannot be replaced. In such case, a warning message is displayed.

  6. In case of warning, click the Exclude these targets link to continue.

  7. Choose one of the available options to assign the policy:

    • Assign the following policy template - to appoint a specific policy directly to the target endpoints.

    • Inherit from above - to use the policy of the parent group.

  8. If you chose to assign a policy template:

    1. Select the policy from the drop-down list.

    2. Select Force policy inheritance to child groups to achieve the following:

      • Assign the policy to all descendants of the target groups, with no exception.

      • Prevent changing it from elsewhere lower in the hierarchy.

      A new table displays recursively all affected endpoints and groups of endpoints, together with the policies that will be replaced.

  9. Click Finish to save and apply changes. Otherwise, click Back or Cancel to return to the previous page.

When finished, policies are pushed to target endpoints immediately. Settings should be applied on endpoints in less than a minute (provided they are online). If an endpoint is not online, settings will be applied as soon as it gets back online.

To check if the policy was successfully assigned:

  1. In the Network page, click the name of the endpoint you are interested in. Control Center will display the Information window.

  2. Check the Policy section to view the status of the current policy. It must show Applied

Another method to check the assignment status is from the policy details:

  1. Go to the Policies page.

  2. Find the policy you assigned.

    In the Active/Applied/Pending column, you can view the number of endpoints for each of the three statuses.

  3. Click any number to view the list of endpoints with the respective status in the Network page.

Assigning rule-based policies

The Policies > Assignment Rules page enables you to define user and location-aware policies. For example, you can apply more restrictive firewall rules when users connect to the internet from outside the company or you can enable Web Access Control for users that are not part of the administrators group.

This is what you need to know about assignment rules:

  • Endpoints can have only one active policy at a time.

  • A policy applied through a rule will overwrite the device policy set on the endpoint.

  • If none of the assignment rules is applicable, then the device policy is applied.

  • Rules are ordered and processed by priority, with 1 being the highest one. You may have several rules for the same target.

    In such case, the first rule that matches the active connection settings on the target endpoint will apply.

    For example, if an endpoint matches a user rule with priority 4 and a location rule with priority 3, the location rule will apply.

Important

Make sure you consider sensitive settings such as exclusions, communication or proxy details when creating rules.

As best practice, it is recommended to use policy inheritance to keep the critical settings from the device policy also in the policy used by assignment rules.

To create a new rule:

  1. Go to the Assignment Rules page.

  2. Click the add.png Add button at the upper side of the table.

  3. Select the rule type:

    • Location Rule

    • User Rule

    • Tag Rule

  4. Configure the rule settings as needed.

  5. Click Save to save the changes and apply the rule to target endpoints of the policy.

To change the settings of an existing rule:

  1. In the Assignment Rules page, find the rule you are looking for and click its name to edit it.

  2. Configure the rule settings as needed.

  3. Click Save to apply the changes and close the window. To leave the window without saving changes, click Cancel.

If you no longer want to use a rule, select the rule and click the delete.png Delete button at the upper side of the table. Click Yes to confirm your action.

To make sure the latest information is being displayed, click the refresh.png Refresh button at the upper side of the table.

Configuring location rules

A location is a network segment identified by one or several network settings, such as a specific gateway, a specific DNS used to resolve URLs, or a subset of IPs. For example, you can define locations such as the company's LAN, the servers farm or a department.

In the rule configuration window, follow these steps:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority of the rule. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the assignment rule.

  4. Define the locations to which the rule applies.

    1. Select the type of the network settings from the menu at the upper side of the Locations table. These are the available types:

      Type

      Value

      IP/network prefix

      Specific IP addresses in a network or sub-networks. For sub-networks use the CIDR format.

      For example: 10.10.0.12 or 10.10.0.0/16

      WINS server address

      IP address of the WINS server

      Important

      This option does not apply on Linux and Mac systems.

      DNS server address

      IP address of the DNS server

      DHCP connection DNS suffix

      DNS name without the hostname for a specific DHCP connection

      For example: hq.company.biz

      DHCP connection DNS suffix

      DNS name without the hostname for a specific DHCP connection

      For example: hq.company.biz

      Endpoint can resolve host

      Hostname.

      For example: fileserv.company.biz

      Endpoint can connect to GravityZone

      Yes/No

      Network type

      Wireless/Ethernet

      When choosing Wireless, you can also add the network SSID.

      Important

      This option does not apply on Linux and Mac systems.

      Hostname

      Hostname

      For example: cmp.bitdefender.com

      Important

      You can also use wildcards. Asterisk (*) substitutes for zero or more characters and the question mark (?) substitutes exactly one character. Examples:

      *.bitdefender.com

      cmp.bitdefend??.com

    2. Enter the value for the selected type. Where applicable, you can enter multiple values in the dedicated field, separated by semicolon (;) and without additional spaces. For example, when you enter 10.10.0.0/16;192.168.0.0/24, the rule applies to target endpoints with the IPs matching ANY of these sub-networks.

      Warning

      You can use only one network setting type per location rule. For example, if you added a location using the IP/network prefix, you cannot use this setting again in the same rule.

    3. Click the add_inline.png Add button at the right side of the table.

    The network settings on endpoints must match ALL provided locations, for the rule to apply to them. For example, to identify the office LAN network you can enter the gateway, network type and DNS; furthermore, if you add a sub-network, you identify a department within the company's LAN.

    policies-location-rule.png

    Click the Value field to edit the existing criteria and then press Enter to save changes.

    To remove a location, select it and click the delete_inline.png Delete button.

  5. You may want to exclude certain locations from the rule. To create an exclusion, define the locations to be excepted from the rule:

    1. Select the Exclusions check box under the Locations table.

    2. Select the type of the network settings from the menu at the upper side of the Exclusions table. You have the same options as in the Location table.

    3. Enter the value for the selected type. You can enter multiple values in the dedicated field, separated by semicolon (;) and without additional spaces.

    4. Click the add_inline.png Add button at the right side of the table.

    The network settings on endpoints must match ALL conditions provided in the Exclusions table, for the exclusion to apply.

    Click the Value field to edit the existing criteria and then press Enter to save changes.

    To remove an exclusion, click the delete_inline.png Delete button at the right side of the table.

  6. Click Save to save the assignment rule and apply it.

    Once created, the location rule automatically applies to all target endpoints that are managed.

Configuring user rules

Important

  • You can create user rules only if an Active Directory integration is available.

  • You can define user rules only for Active Directory users and groups. Rules based on Active Directory groups are not supported on Linux systems.

In the rule configuration window, follow these steps:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the assignment rule.

  4. In the Targets section, select the users and security groups you want the policy rule to apply to. You can view your selection in the table on the right.

  5. Click Save.

    Once created, the user-aware rule applies to managed target endpoints at user login.

Configuring tag rules

Important

You can create tag rules only if an Amazon EC2 or Microsoft Azure integration is available.

You can use the tags defined in the cloud infrastructures to assign a specific GravityZone policy to your virtual machines hosted in the cloud. All virtual machines having the tags specified in the tag rule will be applied with the policy set by the rule.

Note

According to the cloud infrastructure, you can define the virtual machine tags as follows:

  • For Amazon EC2: in the Tags tab of the EC2 instance.

  • For Microsoft Azure: in the Overview section of the virtual machine.

A tag rule can contain one or several tags. To create a tag rule:

  1. Enter a suggestive name and a description for the rule you want to create.

  2. Set the priority of the rule. The rules are ordered by priority, with the first rule having the highest priority. The same priority cannot be set twice or more.

  3. Select the policy for which you create the tag rule.

  4. In the Tag table, add one or several tags.

    A tag consists in a case-sensitive key-value pair. Make sure to enter the tags as defined in your cloud infrastructure. Only valid key-value pairs will be taken into account.

    To add a tag:

    1. In the Tag Key field, enter the key name.

    2. In the Tag Value field, enter the value name.

    3. Click the add_inline.png Add button at the right side of the table.

Assigning NSX policies

In NSX, security policies are assigned to security groups. A security group can contain various vCenter objects, such as datacenters, clusters and virtual machines.

To assign a security policy to a security group:

  1. Log in to vSphere Web Client.

  2. Go to Network & Security > Service Composer and click the Security Groups tab.

  3. Create as many security groups as needed. For more information, refer to VMware documentation.

    You can create dynamic security groups, based on the security tags. This way, you can group all virtual machines found infected.

  4. Right click the security group you are interested in and click Apply Policy.

  5. Select the policy to apply and click OK.