Policy

The Policy page lets you centrally configure the data synchronization settings for Central Management Consoles (CMC) and sensors.

Figure 1. Policy page

Policy page

General

Guardian and Central Management Console (CMC) deployments each have their own configurations. To simplify management of sensors that are connected to an upstream sensor, centralized configuration is available for:
  • Asset types
  • Alert rules
  • Zone configurations
  • Threat Intelligence

Asset Types definition policy

This dropdown lets you choose between these policies:
  • Local only
  • Upstream only

Local only: Only local asset types are considered. Types from Vantage, or the top CMC, as distributed to the connected sensors are ignored.

Upstream only: Asset types are imported by top CMC or by Vantage. Local asset types configured on any sensor will be ignored.

Alert Tuning execution policy

This section lets you specify a synchronization policy for alert rules from the CMC.

The dropdown lets you choose between these policies:
  • Upstream only
  • Upstream prevails
  • Local prevails

Upstream only: Vantage, or the top CMC controls alert rules. Local asset types configured on a sensor will be ignored.

Upstream prevails: In case of multiple overlapping alert rules, performing the same action match an alert, only the ones received from the upstream CMC/Vantage will be executed. Mute actions, created in Guardian, will be ignored if at least one rule, received from upstream, matches the alert.

Local prevails: In case of multiple overlapping alert rules, performing the same action, match an alert, only the ones created in Guardian will be executed. Mute actions, received from upstream, will be ignored if at least one local rule matches the alert.

Zone configurations policy

This section lets you specify a synchronization policy for zone configurations from the CMC.

The dropdown lets you choose between these policies:
  • Local only
  • Upstream only

Local only: Guardian controls zone configurations. Zones received from upstream will be ignored.

Upstream only: Vantage, or the top CMC controls the zone configurations. Local zones will be ignored.

Threat Intelligence contents management

This section lets you enable sensors to provide the user with the ability to enable and disable individual Threat Intelligence contents, and to define custom contents.

If the Enable sensor contents toggle is set to off (default), then customization of the Threat Intelligence contents can only be done from the upstream CMC/Vantage.