Firewall Policy Update Loses Checksums

Hello hobbsieoz,

as you have seen any change in a policy (perhaps even closing the edit dialog with OK rather than Cancel) results in the policy applied to the clients.

While Export/Import of a configuration offers a "merge" its semantics are not self-evident. The process is not naturally unambiguous and will, no matter how the merge process is defined, produce unexpected and likely unwanted results - unless two source configurations are carefully crafted. There's a very succinct article (Expected behavior when merging two firewall policies together) illustrating one quandary - there are others as well. There is a limited set of configuration items and I guess the process could in theory be unambiguously defined. But for it to produce the desired results you'd have to have control over both sets to be merged - which clearly isn't the case here.  As an only loosely related aside (and an example of potential intricacies) please see the paragraph "Exceptions in Dual Location mode" in Understanding Location Awareness and Dual Location.

A central policy and interactive mode are an oxymoron. Anyway the users have to have (AFAIK) administrator rights in order to be able to add checksums, thus they can manipulate the configuration at will. Are these checksums for different (updated) versions of known applications or also "new" applications (which would then need their set of rules as well)?

Basically there's only onw way to deal with this situation: Put these laptops in a group with a "dummy" policy (and never touch this policy, move the endpoints to a different group or use Comply with -> All Group Policies). The drawback is that in most cases the users have to replicate possible central changes manually. 

when they are outside of our network have their Firewalls enabled

Are you using Dual Location with Allow All set for the Primary? Or?

Sorry to be of not much help. BTW: It might be a good idea to (automatically) make a versioned backup of the configuration on the clients, guess copying Configuration.conf should suffice.  

Christian

Hello hobbsieoz,

as you have seen any change in a policy (perhaps even closing the edit dialog with OK rather than Cancel) results in the policy applied to the clients.

While Export/Import of a configuration offers a "merge" its semantics are not self-evident. The process is not naturally unambiguous and will, no matter how the merge process is defined, produce unexpected and likely unwanted results - unless two source configurations are carefully crafted. There's a very succinct article (Expected behavior when merging two firewall policies together) illustrating one quandary - there are others as well. There is a limited set of configuration items and I guess the process could in theory be unambiguously defined. But for it to produce the desired results you'd have to have control over both sets to be merged - which clearly isn't the case here.  As an only loosely related aside (and an example of potential intricacies) please see the paragraph "Exceptions in Dual Location mode" in Understanding Location Awareness and Dual Location.

A central policy and interactive mode are an oxymoron. Anyway the users have to have (AFAIK) administrator rights in order to be able to add checksums, thus they can manipulate the configuration at will. Are these checksums for different (updated) versions of known applications or also "new" applications (which would then need their set of rules as well)?

Basically there's only onw way to deal with this situation: Put these laptops in a group with a "dummy" policy (and never touch this policy, move the endpoints to a different group or use Comply with -> All Group Policies). The drawback is that in most cases the users have to replicate possible central changes manually. 

when they are outside of our network have their Firewalls enabled

Are you using Dual Location with Allow All set for the Primary? Or?

Sorry to be of not much help. BTW: It might be a good idea to (automatically) make a versioned backup of the configuration on the clients, guess copying Configuration.conf should suffice.  

Christian