Consider a scenario where two policy domains exist, each consisting of multiple rules. As an admin you are not always certain of which VMs can end up getting membership of a group because VMs get associated to a group based on dynamic membership criteria, such as OS Name, Computer Name, User, Tagging.
Conflicts arise in the following scenarios:
- A VM is part of two groups, where each group is protected by a different profile.
- A partner service VM is associated with more than one service profile.
- An unexpected rule ran on a guest VM, or when a rule does not run on a VM group.
- Sequence number is not assigned to policy rules or domains.
Scenario | Expected Endpoint Protection Flow | Resolution |
---|---|---|
When a VM gets membership to multiple groups. And each group is protected by a different type of service profile. Expected protection was not applied to the VM. |
A VM group created with a membership criteria means that VMs are added to the group dynamically. In such a case, the same VM can be part of multiple groups. There is no way to pre-determine which group that VM is going to be part of because the membership criteria dynamically populates VM into the group. Consider VM 1 is part of Group 1 and Group 2.
Endpoint protection policy runs the Gold service profile on VM 1 but does not run Platinum service profile on VM1. |
Change the Sequence Number of Rule 2 such that it runs before Rule 1.
|
When a rule associates the same service profile to protect two VM groups. Endpoint protection does not run the rule on the second VM group. |
Endpoint protection only runs the first service profile on the VM because the same service profile cannot be applied again to any other rule across policies or domain. Consider VM 1 is part of Group 1 and Group 2. Rule 1: Group 1 (by OS name) is applied Gold (service profile) Rule 2: Group 2 (by tag) is applied Gold (service profile) |
|