Create a shared ruleset
You can use the API to create shared allow or block rules and apply the ruleset to
other
computers. This can be useful if you have many identical computers (such as a load
balanced web server farm). Shared rulesets should be applied only to computers with
the exact same inventory.
Procedure
- Use the API to build a computer's shared allow and block rules. For more information,
Create a Shared Ruleset. If you want to examine the shared ruleset before you
deploy it, see View and
change Application Control rulesets.
- Go to .
- In the ruleset section, make sure Inherit settings is not selected and
then select Use a shared ruleset. Indicate which shared rules to use.
Note
These settings are hidden until you use the API to create at least one shared ruleset. If you haven't created any shared rulesets, or if you keep the default settings, each computer will keep its own allow and block rules locally. Changes to local rules don't affect other computers. - Click Save.The next time that the agent on the computer connects with Server & Workload Protection, the agent applies those rules.If you see an error saying that the ruleset upload was not successful, verify that network devices between the agent and Server & Workload Protection or relay allow communications on the heartbeat port or relay port numbers.
Change from shared to computer-specific allow and block rules
If the computer is currently using shared allow or block rules created via the API,
you
can change it to use local rules. Application control scans the file system for all
currently-installed software and creates an initial ruleset for it, similar to when
you
first enabled Application Control.
WARNINGBefore you start, verify that only good software is currently
installed. Rebuilding the ruleset will allow all currently installed software, even
if
it is insecure or malware. If you are not sure what is installed, the safest approach
is
to make a clean install and then enable Application Control.
|
The steps below configure a computer's agent to use a local ruleset. If you want all
computers to use local rules, edit the setting in the Policies tab
instead.
Procedure
- Go to .
- In the ruleset section, deselect Inherit settings (if necessary), and
then select Use local ruleset initially based on installed software.
- Click Save.To verify the change, the next time the agent and Server & Workload Protection connect, look for event log messages about building the Application Control ruleset.
Deploy Application Control shared rulesets via relays
Each time you create an Application Control ruleset or change it, it must be distributed
to all computers that use it. Shared rulesets are bigger than local rulesets. Shared
rulesets are also often applied to many servers. If they all downloaded the ruleset
directly from Server & Workload Protection at the same time, high load
could cause slower performance. Global rulesets have the same considerations.
Using relays can solve this problem. (For information on configuring relays, see Distribute security and software
updates with relays.)
Steps vary depending whether or not you have a multi-tenant deployment.
Single tenant deployments
Go to
and then select Serve Application Control rulesets from
relays.
Multi-tenant deployments
The primary tenant (t0) can't access other tenants' (tN) configurations, so t0 relays
don't have tN Application Control rulesets. Other tenants (Tn) must create their own
relay
group, then select Serve Application Control rulesets from
relays.
Considerations when using relays with shared rulesets
Before using relays, verify that they are compatible with your deployment. If the
agent
doesn't have any previously downloaded ruleset currently in effect, and if it
doesn't receive new Application Control rules, then the computer won't be protected
by
Application Control. If Application Control ruleset download fails, a ruleset
download failure event will be recorded in the Server & Workload Protection console and on the agent.
-
If you are using a proxy to connect agents to a manager, you must use a relay.
Note
In version 10.0 and earlier of the agent, agents didn't have support for connections through a proxy to relays. If a ruleset download fails due to a proxy, and if your agents require a proxy to access the relay or Server & Workload Protection, then you must either:- update agents' software, then configure the proxy
- bypass the proxy
- add a relay and then select Serve Application Control rulesets from relays
-
If you are using shared or global rulesets, a relay can result in faster performance.
-
If you are using local rulesets, a relay can cause slower performance,
-
Do not use a relay with multi-tenant configurations when non-primary tenants (tN) use the default, primary (t0) relay group.