Configure Computers to Override Policies
Many computer properties are configured by the policy that is assigned to the computer. You can configure these properties at the computer level to override the policy. You can also discover overrides that have been configured for a computer.
- Policies can be assigned to multiple computers, so you can re-use configuration work.
- Policies are more easily managed than computer overrides.
Discover overrides
To discover the overrides that are configured for a computer, use any method or function that returns the computer with the overrides
parameter set to true
. As described in About the overrides parameter, the Computer
object that is returned contains values only for the properties that are overrides. All other property values are null
.
All properties of a Computer
object can be configured, except for the name and description.
ID
to quickly determine if there are no overrides.The following example gets the overrides for a computer
# Get the Computer object with overrides set to True computers_api = api.ComputersApi(api.ApiClient(configuration)) return computers_api.describe_computer(computer_id, api_version, expand=expand.list(), overrides=True)
const computersApi = new api.ComputersApi(); const opts = { overrides: true, expand: expand.list() }; return computersApi.describeComputer(computerID, apiVersion, opts);
ComputersApi computersApi = new ComputersApi(); // Set the overrides parameter to true return computersApi.describeComputer(computerId, expand.list(), Boolean.TRUE, apiVersion);
Also see the Describe a Computer operation in the API Reference. For information about the expand parameter, see "Minimize computer response size" in the Performance Tips guide.
Configure computer overrides
Configure the properties of a computer to override the computer's policy. Thefollowing properties of the Computer
class are those that inherit their values from the policy and that you can configure to override the policy:
- Properties that store the configurations of the Deep Security protection modules, such as
firewall
. The types of these properties are classes that define the computer-level extensions of the protection modules, such asFirewallComputerExtension
. These classes control the behavior of protection modules for a computer and override the settings of the policy-level extension classes such asFirewallPolicyExtension
. - The
computerSettings
property, of typeComputerSettings
, stores protection module and platform settings that are applied at the computer level. This property overrides the values of thepolicySettings
property of the computer's policy.
For a list of computer settings, see Default policy, policy, and computer settings in the Settings Reference. Also see the Modify a Computer operation in the API Reference.
Configure a single computer setting
TheComputersApi
class enables you to set the value of a single setting for a computer.
- Create a
SettingValue
object and set the value (all values are strings). When settings accept one value from a list of choices, you can either use the ID of the choice or the exact wording of the choice as it appears in the Deep Security Manager console. - Create a
ComputersApi
object and use it with theSettingValue
object to modify the computer setting. you also provide the computer ID.
The following example sets the value of thefirewall network engine mode of a computer to override the policy.
# Set the value for firewall_setting_reconnaissance_enabled setting_value = api.SettingValue() setting_value.value = "true" # Apply the override to the computer computers_api = api.ComputersApi(api.ApiClient(configuration)) return computers_api.modify_computer_setting(computer_id, api.ComputerSettings.firewall_setting_reconnaissance_enabled, setting_value, api_version, overrides=True)
// Setting name const settingName = "firewallSettingReconnaissanceEnabled"; // Setting value const settingValue = new api.SettingValue(); settingValue.value = "true"; let computersApi = new api.ComputersApi(); return computersApi.modifyComputerSetting(computerID, settingName, settingValue, apiVersion, { overrides: true });
// Setting name String settingName = "firewallSettingReconnaissanceEnabled"; // Set the reconnaissance scan property value SettingValue settingValue = new SettingValue(); settingValue.setValue("true"); // Overrides Boolean overrides = Boolean.TRUE; // Update on Deep Security Manager ComputersApi computersApi = new ComputersApi(); return computersApi.modifyComputerSetting(computerId, settingName, settingValue, overrides, apiVersion);
Configure settings and protection modules
Use the following steps to configure several computer settings, one or more protection modules for a computer, or both:
- Create a computer-level extension object for a protection module and configure the settings that you want to override.
- Create a
ComputerSettings
object and configure the settings that you want to override. To set the value of a setting, create aSettingValue
object, set the value (all values are strings), and add it to theComputerSettings
object.When settings accept one value from a list of choices, you can either use the ID of the choice or the exact wording of the choice as it appears in the Deep Security Manager console. - Add the computer-level extension object and
ComputerSettings
object to aComputer
object. - Use
ComputersApi
to modify the computer on Deep Security Manager.
Rule overrides
A rule that is applied to a computer is considered an override when the rule has been modified at the computer level to be different than the original rule.
Simply assigning a rule to a computer is not considered an override:
- When a rule is assigned to a computer and the rule is not assigned to the computer's policy, the rule is not considered an override.
- When a rule is assigned to a computer's policy and the same rule is applied to the computer and is unchanged, the rule is not considered an override.