FW rules from 13 to 14
100 workstations of which 20 has USB-printers, sharing them to other users, so
incoming "windows networking" is disabled on 80 wks and enabled on 20 wks.
Solution in ver 13:
Root level (80 wks) -> disabled
Separate subdomain "Printshares" (20 wks) -> enabled
Solution in ver 14??
Inheritance seems to be different. If I enable a rule in subdomain, it will be enabled also in root level. Could someone explain, how to separate these 80 vs. 20 workstations?
On ver 13 we had last rule line "block all" and now we don't know, should we create similar rule into ver 14 also? If we don't have this line, "windows networking" will be enabled on all 100 wks, which is not safe.
Seems that our own "windows networking" rule (made in PMC ver 14 rule set) is not working at all. Maybe Microsoft have made their own rules, which are on higher preference than those coming from Policy Manager? How should we live and understand with two rule sets "F-secure" vs. "Microsoft" ??
Do you have any FAQ Guide named like "Deep understanding of Firewall ver 14" ??
In V13 we had ruleset with a hirarchical management.
But Admins tend to organize their systems by departments and not by technical needs.
Thus having a special rule on one system in each department was a mess as this rule had to be added to an extra subdomain in that department or to special single hosts in that department. A change to these rules had to be done in various places.
In V14 Profiles we introduced. All profiles ar bound to the root of your tree.
(I have to admit that knowing the old cncept leads to misconfiguration as the profiles are visible in each subdomain, at least until you have understood this new concept.)
So your experience is correct any change to a profile in global. To assign a different setup to a subdomain or host you need a different profile, which is done by cloning an existing one.
As mentioned, these profiles are no longer hirarchical, the clone is independant from it's original.
Now you can add your special rule to the new profile and choose that profile on the subdomain or host.
Any change done to the profile will automatically change the settings for all systemes using tha profile, means only one change for all host with the same technical setup even if they are located in different subdomains/departments.
While I think this concept is better than the old I would have loved to see the profiles still be hirarchical.
Nevertheless I recommend to move away from USB-printes to network printers to be able to close this huge secuity gap. If your special printers do not have a LAN-interface you better buy a LAN2USB-prinserver, which are available on Amazon or eBay starting at 12€. These one-time-expenses will add a lot to your IT-Security!