This topic has been closed due to inactivity. If you would like to discuss this topic further, please start a new post.
You can reference this topic in your post by adding this link:
You can find parts of this content in Japanese in the following Community KB article: https://community.f-secure.com/t5/ビジネスセキュリティ/PSB-Computer-Protection-Windows/ta-p/107966
This article gives an overview of the kind of 'Firewall' and 'Scheduled Scanning' conflicts that can occur during the profile migration and gives some tips about how this can be resolved.
To see more information about what a conflicting profile is, see section the section titled 'What is a profile with conflicts?' in the article Computer Protection Migration
Firewall Rule Conflicts
You have firewall rules where both Allow and Deny rules are defined for same protocol, port and direction. Workstation profile firewall rules have priority order to decide which rule gets processed first. Since Computer Protection uses Windows Firewall behind the scenes, this causes apparent conflicts in firewall rules due to the order in which Windows Firewall rules are executed (Refer https://technet.microsoft.com/es-es/library/dd421709(v=ws.10).aspx).
Below you can see an example scenario of 2 custom rules added to the 'Office' firewall profile in Workstation profiles, that has resulted in a conflict in firewall profile.
In a Workstation client,
1. Two firewall rules in 'Office' Profile of Workstation 12 which result in conflicts in Computer Protection
After this rule is migrated to the Computer Protection Client,
2. Corresponding migrated firewall rules in 'Normal Workstation' profile of Computer Protection
How will you know of such conflicts?
The profile migration we have built for you handles the identification of such conflicts and we mark these profiles as 'Needs Review'. By Clicking on the button "View all profiles with issues" in the profiles tab, you will be re-directed to a new page which lists such profiles that need review.
3. Profiles that have conflicts can be accessed from the button → 'View all profiles with issues'
4. 'Conflicting profiles' listing view, where you can access all profiles which have conflicts and needs attention
How can you fix them?
Each of the profiles with conflicts needs to be reviewed explicitly. After making changes to the corresponding section of the profiles and closing the warning dialog, you will be provided with an option to 'Accept and publish'. By clicking on this, you are resolving the conflict of the profiles
5. Conflicted sections of a profile are highlighted as shown below
6. After making the required changes to the profile, the 'Accept and publish' button pops up.
In this particular case, to achieve the expected behaviour of the firewall profile, it is sufficient to remove the rule, 'Block incoming TCP from all other IPs' (Refer screenshot 2) as the fallback settings of this profile already block unknown inbound connections (Refer screenshot 7)
7. Fallback settings for the corresponding firewall profile
Scheduled Scanning Task Conflicts
You have configured for scheduled scanning tasks more than 1 scanning task and/or task with fields which can't be transformed into Computer Protection format. The new format supports only one scanning task, so we will just migrate the 1st scanning task which has the less number of field inconsistencies
The Computer Protection client has a different scheduled scanning functionality than the Workstation client. The main cases are:
This leads to a situation when scheduled scanning settings may not be migrated as is.
There are 2 scheduled tasks in old profile to migrate:
In the new profile, you have to choose between weekly and daily, you can't have them both at once. Also, it is not possible to define more than one execution time, so you can't combine 9:00 and 12:00.
It means that we can take just one task to migrate.
We have a task with the following options:
In the Computer Protection profile, we don't have the option to run once, available choices are: daily, weekly, monthly. Also, we don't have combined time and idle options, we have to choose one or another (just as with weekly and daily in the previous example). So, practically this task can't be mapped without changing its peridiocity and time/idle options or, if having multiple tasks in the old profile, skipping it at all in favour of another task with fewer conflicts.
8. Example scheduled scanning tasks in a Workstation profile which leads to conflicts during migration
How to Solve?
If one of the profiles you migrated contains a conflict in scheduled scanning tasks, then the section in the profile will be highlighted similar as above (Refer Screenshot 5) and once you make the required changes and click on the 'Accept and Publish' button, the conflict is considered as resolved