Configure Computers to Override Policies

Many computer properties are configured by the policy that is assigned to the computer. You can configure these properties at the computer level to override the policy. You can also discover overrides that have been configured for a computer.

Discover overrides

To discover the overrides that are configured for a computer, use any method or function that returns the computer with the overrides parameter set to true. As described in About the overrides parameter, the Computer object that is returned contains values only for the properties that are overrides. All other property values are null.

All properties of a Computerobject can be configured, except for the name and description.

The following example gets the overrides for a computer

# Get the Computer object with overrides set to True
computers_api = api.ComputersApi(api.ApiClient(configuration))

return computers_api.describe_computer(computer_id, api_version, expand=expand.list(), overrides=True)

const computersApi = new api.ComputersApi();
const opts = {
  overrides: true,
  expand: expand.list()
};

return computersApi.describeComputer(computerID, apiVersion, opts);

ComputersApi computersApi = new ComputersApi();

// Set the overrides parameter to true
return computersApi.describeComputer(computerId, expand.list(), Boolean.TRUE, apiVersion);

Also see the Describe a Computer operation in the API Reference. For information about the expand parameter, see "Minimize computer response size" in the Performance Tips guide.

Configure computer overrides

Configure the properties of a computer to override the computer's policy. Thefollowing properties of the Computer class are those that inherit their values from the policy and that you can configure to override the policy:

• Properties that store the configurations of the Deep Security protection modules, such as firewall. The types of these properties are classes that define the computer-level extensions of the protection modules, such asFirewallComputerExtension. These classes control the behavior of protection modules for a computer and override the settings of the policy-level extension classes such asFirewallPolicyExtension.
• The computerSettings property, of type ComputerSettings, stores protection module and platform settings that are applied at the computer level. This property overrides the values of the policySettings property of the computer's policy.

For a list of computer settings, see Default policy, policy, and computer settings in the Settings Reference. Also see the Modify a Computer operation in the API Reference.

Configure a single computer setting

TheComputersApiclass enables you to set the value of a single setting for a computer.

1. Create aSettingValueobject and set the value (all values are strings). When settings accept one value from a list of choices, you can either use the ID of the choice or the exact wording of the choice as it appears in the Deep Security Manager console.
2. Create aComputersApiobject and use it with theSettingValueobject to modify the computer setting. you also provide the computer ID.

The following example sets the value of thefirewall network engine mode of a computer to override the policy.

# Set the value for firewall_setting_reconnaissance_enabled
setting_value = api.SettingValue()
setting_value.value = "true"

# Apply the override to the computer
computers_api = api.ComputersApi(api.ApiClient(configuration))

return computers_api.modify_computer_setting(computer_id, api.ComputerSettings.firewall_setting_reconnaissance_enabled, setting_value, api_version, overrides=True)

// Setting name
const settingName = "firewallSettingReconnaissanceEnabled";

// Setting value
const settingValue = new api.SettingValue();
settingValue.value = "true";

let computersApi = new api.ComputersApi();
return computersApi.modifyComputerSetting(computerID, settingName, settingValue, apiVersion, { overrides: true });

// Setting name
String settingName = "firewallSettingReconnaissanceEnabled";

// Set the reconnaissance scan property value
SettingValue settingValue = new SettingValue();
settingValue.setValue("true");

// Overrides
Boolean overrides = Boolean.TRUE;

// Update on Deep Security Manager
ComputersApi computersApi = new ComputersApi();

return computersApi.modifyComputerSetting(computerId, settingName, settingValue, overrides, apiVersion);

Configure settings and protection modules

Use the following steps to configure several computer settings, one or more protection modules for a computer, or both:

1. Create a computer-level extension object for a protection module and configure the settings that you want to override.
2. Create a ComputerSettings object and configure the settings that you want to override. To set the value of a setting, create a SettingValue object, set the value (all values are strings), and add it to the ComputerSettings object.When settings accept one value from a list of choices, you can either use the ID of the choice or the exact wording of the choice as it appears in the Deep Security Manager console.
3. Add the computer-level extension object and ComputerSettings object to a Computer object.
4. Use ComputersApi to modify the computer on Deep Security Manager.

Rule overrides

A rule that is applied to a computer is considered an override when the rule has been modified at the computer level to be different than the original rule.

Simply assigning a rule to a computer is not considered an override:

• When a rule is assigned to a computer and the rule is not assigned to the computer's policy, the rule is not considered an override.
• When a rule is assigned to a computer's policy and the same rule is applied to the computer and is unchanged, the rule is not considered an override.