Push policies to hosts
Push a policy (applies to both Host policies and User policies) when you want to monitor based on the rules or enforce the rules on the hosts. Ensure that the policy contains all the necessary rules and that the policy is set to use the intended actions ( Policy settings) when applications and/or processes violate the rules in the policy.
When you initiate a policy push from your Xprotect instance, the following happens:
-
Xprotect's job scheduler schedules a job to push the policy to the hosts in the groups to which the policy is applied. The actual time when the policy is pushed to the hosts depends on when the last operation was performed on the hosts, and the duration you specify for the Agent Fetches Command Every option (on the Policies > Policy Settings > Advanced page) for the policy.
-
For hosts that are reachable to the Xprotect instance, the policy is pushed as a response to the next heartbeat from the hosts. For hosts that are Offline or Unreachable, the job to push the policy is scheduled. The policy is pushed when the hosts become reachable with the instance.
See Policy push status for more details.
-
After the policy is pushed to a host, the log file for the agent on the host is updated with the following details of the policy - name and version ID of the policy.
Before you push policies
Before you push a policy to the hosts, you must have:
-
Created the policy, preferably by using the best practices to create Xprotect policies. This can help you a long way in tweaking policies later. See Xprotect policy creation guidelines for more details.
-
Applied the policy only to the intended groups of hosts. You can apply a policy to multiple groups of hosts. Pushing a policy to an unintended group can unexpectedly change the rules on the hosts. See the Groups column for the policy (on the Policies page) and apply or remove the policy from groups that do not need the policy. See Create groups of hosts for more details.
You will not see the Push Policy menu item for a policy (on the Policies page) if you have not applied the policy to at least one group of hosts.
-
Configured if the policy rules must work in the Monitor mode or the Enforce mode and whether alerts must be seen (on the Alerts page) for policy violations. See Xprotect Policy Settings for more details.
-
Ensured that all the hosts in the groups are reachable to the Xprotect instance. Filter the Hosts page by the target groups and see the Name column to verify if the hosts are Online. See Manage hosts in Xprotect for more details.
Push policies
If you want to push a policy immediately, you must reduce the duration of the Agent Fetches Command Every option (on the Policies > Policy Settings > Advanced page). This reduces the duration between successive job schedules in the instance, and the policy will be pushed sooner.
|
Policy push status
You must always monitor the status of a policy push after you initiate the push from the Xprotect instance. This ensures that all the hosts in all the groups to which the policy is applied are protected with Xprotect policy rules.
Status column
See the Status column on the Policies page to see the status of policy pushes. You will always see one of the following statuses.
Status | Description | Action |
The policy has never been pushed to the hosts. |
Apply the policy to One or more groups and push it to the hosts in the groups. | |
The policy was successfully pushed to all the hosts in the groups to which the policy was applied. All the hosts in the groups are now protected by the policy. |
No action required | |
The policy push is a partial success, and the policy was pushed only to some of the hosts in the groups to which the policy was applied. The policy push to other hosts is 'scheduled', and the other hosts are currently not protected by the policy. |
The hosts on which the policy is not pushed (other hosts) are Offline or Unreachable. Enable connectivity between the other hosts and Xprotect instance, and the policy will be automatically pushed to the other hosts. |
|
The policy push failed, and the policy was not pushed to any of the hosts in the groups. The policy push to all the hosts is 'scheduled', and they are currently not protected by the policy. The hosts are not reachable, or Xprotect failed to push the policy. |
The hosts on which the policy is not pushed (other hosts) are Offline or Unreachable, or Xprotect failed to push the policy. Enable connectivity between the hosts and Xprotect instance, and the policy will be automatically pushed to the hosts. If Xprotect failed to push the policy, push the policy again. |
|
The policy push is still in progress, and the policy has been modified after the push was initiated. Some of the hosts in the groups do not have the previous version of the policy, and none of the hosts have the new version of the policy. |
Push the policy again to apply the new version of the policy to all the hosts in the groups. | |
The policy has been modified after it was successfully pushed to all the hosts in the groups. None of the hosts have the new version of the policy. |
Push the policy again to apply the new version of the policy to all the hosts in the groups. |
Status Details area
Expand the row for a policy to see the real-time status of a policy push. The Status Details area lists the numbers and filtered view of the hosts on which the policy push succeeded, failed, is scheduled or is in progress.
Audit logs
Go to the Audit Logs page and filter the page by Audit Action (Push Policy and/or Save and Push Policy) to verify the status of a policy push. The Audit Status column will show Partial Success until the policy is pushed to all the hosts in the groups.