Settings Inheritance in Subscriber Accounts
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
By default, all computers and devices on the Computers > My Organization tab in a Subscriber account inherit the WatchGuard Endpoint Security default settings assigned to the All group. The default settings that come with your WatchGuard Endpoint Security license protect your network before you create and assign custom security settings profiles.
For information on inheritance of settings in a Service Provider account, go to Multi-Tenant Management — Settings Inheritance for Service Provider Accounts.
To see the settings assigned to a computer group:
- On the Computers > My Organization tab, next to the group you want to see the settings for, click .
- Select Settings.
When you assign new security settings to a subgroup, the new settings replace the default settings for all groups and computers in the subgroup. In large networks, this feature saves you time because the settings automatically apply to many computers and devices.
If you do not want to automatically apply settings to a subgroup or if you want to assign different settings to a specific computer or subgroup, you can manually or directly assign settings.
Manually assigned settings take precedence over inherited settings. When you manually assign a new settings profile to a group, all computers and devices below that group use the manually assigned settings, not the inherited or default ones. For more information on how to manually assign settings, go to Assign a Settings Profile.
For examples of how settings inheritance works in WatchGuard Endpoint Security, go to Examples of Inheritance Rules for Groups and Computers in a Subscriber Account.
Overwrite Settings
Changes you make to settings in a higher-level group affect the groups, computers, and devices that inherit the settings differently, based on whether they have existing manually assigned or inherited settings.
Subgroups and Computers with No Manually Assigned Settings
When you change settings in a group that are inherited by subgroups and computers that have no manual settings applied, the new settings automatically apply to all subgroups, computers, and devices in the group.
Subgroups and Computers with Manually Assigned Settings
When you change settings in a group that are inherited by subgroups and computers that have manually assigned settings applied, any subgroups or computers with manually assigned settings do not inherit the new settings, regardless of the level. WatchGuard Endpoint Security prompts you to specify whether to keep the manually assigned settings or inherit the settings.
Keep All Settings
When you select this option, new settings apply only to groups and computers that do not have manually assigned settings. Existing manual settings are retained and the application of new inherited settings stops at the first group or computer with manually configured settings.
Make All Inherit These Settings
When you select this option, all groups and computers inherit the new settings. WatchGuard Endpoint Security overwrites all manual settings and removes all manually assigned settings below the group.
For information on how to remove manually assigned settings and restore inheritance, go to Restore Inheritance in Subscriber Accounts.
Move Computers and Groups
If you move a single computer with manually assigned settings, the settings move with the computer to the new location. If you move a computer with inherited settings, the inherited settings in the new location overwrite the currently inherited settings.
For information on how to move computers, go to Move Computers from One Group to Another.
When you move a computer group with manually assigned and inherited settings to a new location, you must confirm whether you want to replace the current settings with the inherited settings from the new location.
- To keep the manually assigned settings and replace the inherited settings with the settings in the new location, click Yes.
- To keep the manually assigned settings and the inherited settings from the current location, click No. The inherited settings convert to manually assigned settings in the new location.
Active Directory and IP-Based Group Exceptions
If a computer is a member of an Active Directory or IP-based group, you must manually assign network settings. This is because a group membership change made in Active Directory could inadvertently change network settings in the Endpoint Security management UI and leave the WatchGuard Agent installed on the affected computer without connectivity and full protection.
If you move a computer from an Active Directory or IP-based group to another group, it does not automatically inherit the network settings assigned to the target group. To prevent settings changes when a computer changes groups in the management UI because of a group change in Active Directory, you must manually assign network settings.
Examples of Inheritance Rules for Groups and Computers in a Subscriber Account