Configure Computers to Override Policies

Many computer properties are configured by the policy that is assigned to the computer. You can configure these properties at the computer level to override the policy. You can also discover overrides that have been configured for a computer.

Override a policy setting on a computer only when you are certain that the override is unique for that computer. As much as possible, you should use policies to configure security and avoid overrides:
  • Policies can be assigned to multiple computers, so you can re-use configuration work.
  • Policies are more easily managed than computer overrides.
For information about configuring policy settings, see the Create and Configure a Policy guide.

Discover overrides

To discover the overrides that are configured for a computer, use any method or function that returns the computer with the overrides parameter set to true. As described in About the overrides parameter, the Computer object that is returned contains values only for the properties that are overrides. All other property values are null.

All properties of a Computerobject can be configured, except for the name and description.

When there are no overrides, all properties of the object are null. Check for a null ID to quickly determine if there are no overrides.

The following example gets the overrides for a computer

Python
View source
# Get the Computer object with overrides set to True
computers_api = api.ComputersApi(api.ApiClient(configuration))

return computers_api.describe_computer(computer_id, api_version, expand=expand.list(), overrides=True)
JavaScript
View source
const computersApi = new api.ComputersApi();
const opts = {
  overrides: true,
  expand: expand.list()
};

return computersApi.describeComputer(computerID, apiVersion, opts);
Java
View source
ComputersApi computersApi = new ComputersApi();

// Set the overrides parameter to true
return computersApi.describeComputer(computerId, expand.list(), Boolean.TRUE, apiVersion);

Also see the Describe a Computer operation in the API Reference. For information about the expand parameter, see "Minimize computer response size" in the Performance Tips guide.

Configure computer overrides

Configure the properties of a computer to override the computer's policy. Thefollowing properties of the Computer class are those that inherit their values from the policy and that you can configure to override the policy:

  • Properties that store the configurations of the Deep Security protection modules, such as firewall. The types of these properties are classes that define the computer-level extensions of the protection modules, such asFirewallComputerExtension. These classes control the behavior of protection modules for a computer and override the settings of the policy-level extension classes such asFirewallPolicyExtension.
  • The computerSettings property, of type ComputerSettings, stores protection module and platform settings that are applied at the computer level. This property overrides the values of the policySettings property of the computer's policy.

For a list of computer settings, see Default policy, policy, and computer settings in the Settings Reference. Also see the Modify a Computer operation in the API Reference.

Configure a single computer setting

TheComputersApiclass enables you to set the value of a single setting for a computer.

  1. Create aSettingValueobject and set the value (all values are strings). When settings accept one value from a list of choices, you can either use the ID of the choice or the exact wording of the choice as it appears in the Deep Security Manager console.
  2. Create aComputersApiobject and use it with theSettingValueobject to modify the computer setting. you also provide the computer ID.

The following example sets the value of thefirewall network engine mode of a computer to override the policy.

Python
View source
# Set the value for firewall_setting_reconnaissance_enabled
setting_value = api.SettingValue()
setting_value.value = "true"

# Apply the override to the computer
computers_api = api.ComputersApi(api.ApiClient(configuration))

return computers_api.modify_computer_setting(computer_id, api.ComputerSettings.firewall_setting_reconnaissance_enabled, setting_value, api_version, overrides=True)
JavaScript
View source
// Setting name
const settingName = "firewallSettingReconnaissanceEnabled";

// Setting value
const settingValue = new api.SettingValue();
settingValue.value = "true";

let computersApi = new api.ComputersApi();
return computersApi.modifyComputerSetting(computerID, settingName, settingValue, apiVersion, { overrides: true });
Java
View source
// Setting name
String settingName = "firewallSettingReconnaissanceEnabled";

// Set the reconnaissance scan property value
SettingValue settingValue = new SettingValue();
settingValue.setValue("true");

// Overrides
Boolean overrides = Boolean.TRUE;

// Update on Deep Security Manager
ComputersApi computersApi = new ComputersApi();

return computersApi.modifyComputerSetting(computerId, settingName, settingValue, overrides, apiVersion);

Configure settings and protection modules

Use the following steps to configure several computer settings, one or more protection modules for a computer, or both:

  1. Create a computer-level extension object for a protection module and configure the settings that you want to override.
  2. Create a ComputerSettings object and configure the settings that you want to override. To set the value of a setting, create a SettingValue object, set the value (all values are strings), and add it to the ComputerSettings object.When settings accept one value from a list of choices, you can either use the ID of the choice or the exact wording of the choice as it appears in the Deep Security Manager console.
  3. Add the computer-level extension object and ComputerSettings object to a Computer object.
  4. Use ComputersApi to modify the computer on Deep Security Manager.

Rule overrides

A rule that is applied to a computer is considered an override when the rule has been modified at the computer level to be different than the original rule.

Simply assigning a rule to a computer is not considered an override:

  • When a rule is assigned to a computer and the rule is not assigned to the computer's policy, the rule is not considered an override.
  • When a rule is assigned to a computer's policy and the same rule is applied to the computer and is unchanged, the rule is not considered an override.