Combining ERA & User personal firewall rules

[BillTheNerd 0]

Something new I have come across today, wondering if anyone else has experienced this and what they did about it:

 

I created a policy in my ERA server (v6.3), to apply to ESET Endpoint Security (v6.3) clients, to create an "Allow" personal firewall rule for an application that needs inbound and outbound access.

 

The policy setting was Applied, but not Forced.

 

As soon as the agents updated to include this policy, users could no longer Add, Edit or Delete their own firewall rules. They could only view them.

 

This means that they cannot create their own rules, plus the Interactive mode in the firewall no longer functions since they cannot add new rules based off events triggered.

 

It seems like this behaviour is a mistake.

 

If the policy setting is only applied, shouldn't users be able to edit their rules themselves? And even if it was forced, shouldn't they still be able to add/edit/delete their own rules?

[21jags 0]

Hi Bill,

 

Make note that if you change any setting from the ERA console, then it restrict the user(at the client end) to make any change in the Anti virus application. 

 

You can only view the setting done.

 

 I don't think so this behavior is mistake.

 

You can change the Personal firewall filtering mode to learning mode to allow all inbound and outbound traffic. 

 

If you want to allow the user to add/edit/delete then what's the need of applying the policy from ERA console end????

Edited April 19, 2016 by 21jags

[MichalJ 434]

Hello,

We are currently tracking an improvement, to allow adding user-defined rules, even in case there are some rules enforced by ERA policy. However this requires larger changes in the product code, so I can´t comment on expected delivery date. As of now, the concept is, that once the setting is set from ERA, it becomes read-only for the user. Larger lists, are as of now handled in a way, that one list = one setting. We would like to adjust this behavior, to allow merging of policy / user rules at some level. 

[mackintire 3]

Not being satisfied by the response from ESET...

 

 

I've discovered I can use a policy as a template to deploy my preferred settings, Then move those users to use another policy that unlocks (no preference) the settings I want them to be able to modify. (The first policy's setting stay)    This does NOT prevent the user from changing the unlocked settings or deleting settings, and I have informed our users that if they choose to do so, we may reapply the default preferences again...wiping out there's personal settings to enforce the default policy. 

 

I've also created another forced policy to turn features back on. Which I can dump user's into...for a short time to change their settings to what I want...regardless of their choices.  (like re-enabling AV protection)

 

The only omission for the above is visibility/notification of compliance to compared to the baseline policy.  

 

It's not perfect but it's better than the....so sorry our product cannot do X response, thanks for all the fishes...   

Edited April 20, 2016 by mackintire

[MichalJ 434]

Tank you mackintire for your inputs.

What you have shared, is a very nice workaround taking into account the current state of things in ESET products. It really works as you have described (apply policy, remove "apply flag" to "unlock the settings", and let the users to change what they want ...). 

It requires more manual work, and supervision, to achieve the desired state (required rules are enforced, and user-defined rules are applied on top).

This will be covered with the improvement/change I was talking about, as I got the impression, that that was the result the customer above was trying to achieve.