cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
mtatro
Level 7
Report Inappropriate Content
Message 1 of 18

ENS WC Block/Allow PAR causing other effective policies to change

I am wondering if I am missing something or if this is a bug? I did not see it as a known bug when I went through the list.

We have multiple Block/Allow lists for ENS WC. Applying them using the System Tree causes no issues, but if I make a user PAR to apply an additional policy as multi-slot policy it does two things:

1) Overwrites the other WC Block/Allow lists (not merging with other multi-slot from the System Tree). I was not able to find an article for WC saying this is intended behavior but I know the user PARs can replace other policies like FRP keys).

2) The WC Block/Allow policy PAR causes the System Tree policy for Content Actions to be change to something else (maybe Default?). It no longer has any category blocking defined for the system. Anyone have a good thoughts on this? It seems more like a bug than anything but I still have not found good articles on how PARs apply in relation to the rest of the policies application methods.

17 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

ENS does not support multi-slot policy assignments.  If you have a PAR, that will take precedence over system tree assignments and that is the policy that will be applied, not a combination of both.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

mtatro
Level 7
Report Inappropriate Content
Message 3 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

Do you have any good articles of reference for this? I was hoping for some good reading material too if there is something.

Also, does it replace all ENS policies or just the product (like WC only and does not affect TP)?

Thanks for the reply, I do appreciate it.
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

The product guide for epo has a section on policy assignment rules.  You can tell if a product is multi-slot capable by the behavior in the policy assignment section in system tree.  When you assign a policy for a multi-slot product, when you click edit assignment, you will see policy1, policy2 sections, etc. where you can choose multiple policies.  ENS or VSE is not multi-slot capable.  So whatever policy is assigned, whether by system tree or PAR, that is the ONLY policy it will enforce.

It only affects the policy that the PAR specifies as for product, category, and policy name.  So, if you have a WC par assignment and not a TP, the system tree assigned policy for wc will not be applied, but the par one will, whereas for tp, the system tree assigned will be applied.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

mtatro
Level 7
Report Inappropriate Content
Message 5 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

I have read the part for Policy Assignment Rules but I did not see it mention compatibility with ENS. I also looked through the install guide, product guides, and common guide for ENS and did not see anything mentioning PARs there.

ENS seems to be multi slot capable through system tree policies, just not multi-slot PAR (even though it still says so when selecting it).

Going back to the affected parts, what seemed weird to me was applying a policy by PAR for Block/Allow only also caused changes to the applied policy for the Content Actions (another multi-slot, so maybe that's why).

Do you have any documentation or guides on these that can explain all the details/nuances of this interaction and its capabilities?
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

There isn't any incompatibility for ens or any other product.  I tested this on my test system.  I created a par to assign 2 different policies for ens web control, which is multi-slot capable.  I sent wakeup to system and when it reported back in after enforcing policies, I went to actions, directory management, view assigned policies for that system.  It shows both assigned and applied via rule.

Endpoint Security Web Control

Block and Allow List

2 assignments: My Default, testMulti

rule

Applied

 

So how exactly did you set up your par and what does your assigned policies show for that on a system you applied that to?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

rule.png

here is my rule:

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

mtatro
Level 7
Report Inappropriate Content
Message 8 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

I was using Web Control user-based PARs so the machine's listed policies does not seem to change. I was using a mix of test URLs that I marked to block and categories testing from a site (http://www.testingmcafeesites.com).

I assigned a PAR for Block/Allow list that has "site A" blocked. We have a base System-Tree policy for Block/Allow assigned to the machine that blocks "site B".

When the PAR is applied, "site B" is no longer blocked but "site A" is. I believe this is caused because multi-slot PARs replace the system-tree policies for ENS.

However, what is weird is that we also have a System Tree policy for Content Actions that blocks "Chat" category. When we apply the user-based PAR for Block/Allow (a separate policy type/slot), it also causes "Chat" to no longer be blocked as a category, affecting a different policy entirely.

The PAR only has the single ENS WC Block and Allow List policy applied and does not include what the system would get from the system-tree.
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 9 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

To get a par to honor multi-slot policies, you have to have all those policies in that par, as I sent you screenshot of.  It will not apply both par and system tree assigned, it is either one or the other and if the par applies to the client, that is what gets assigned.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

mtatro
Level 7
Report Inappropriate Content
Message 10 of 18

Re: ENS WC Block/Allow PAR causing other effective policies to change

Here's picture of the summary.

2018-07-10 14_03_21-Window.png

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.