Creating a server-specific threat protection policy
Commented on a previous question, that I'm just getting started on CCA - and recently purchased a 25-license pack of the Advanced CC.
I need to slice up this 25-lic pack and parcel out different license quantities across 3 different customer accounts using TZ units. Right now I'm set up on MSW as a sole tenant under "my" company ID - of which the 25 CCA licenses - and all my client TZ's - are listed under my sole tenant ID.
I need to create separate policies specifically on various customer accounts - to manage the server-side installation of CCA. I need the snapshot feature disabled on "some" servers, but not every server.
I dug into the threat protection policy and see where you can disable snapshots - but I don't see where I can assign "Server Policy A" against "Customer Account A Server" - it looks to me with having "all" customer TZ units resident under my sole tenant ID, that any policy created is global in nature and will apply to all units under my tenant ID that have CCA licenses shared against any respective TZ unit.
Long way around, but do I need to create a separate tenant for each customer account - and transfer the respective TZ out of my tenant to this new customer-specific tenant ID - in order to get device-specific policies created?
I have a ticket currently open with support which had to be referred up the ladder, but I get the feeling they're slammed right now with the new version rollout, so posting here to see if I can get any assistance to get this project moving along.
Appreciate any assistance and TIA - B1N
Answers
@b1ntech - creating multiple tenants to manage different customers is always recommended but may not be necessary. Particularly if you have a low number of tenants with fairly standard policies across all endpoints, and the only person logging into the portal is you and your team, then you can have a single tenant with multiple groups.
If you choose that path - what you need to do is create multiple groups. You can create a single group for each customer (maybe based on internal or external IP, or domain or hostname, or even keep it as static groups). You can also create multiple groups per customer (e.g. Customer1-PCs, Customer1-Servers, Customer2-PCs, Customer2-Servers). There's a lot of flexibility to what you can do with groups.
Once you figure out your group structure, Each group is a scope in itself and you can define policies for each group. I would recommend reading this chapter in our CC 3.5 Protecting Assets with Security Policies guide.
if you would rather have each customer in different tenants, then I would recommend you either go through our MSSP Monthly or our Flexspend program to gain flexibility with moving licenses around multiple customers. Feel free to reach out to your SonicWall Channel Account Manager for more information on Flexspend or MSSP Monthly.
Thank you Suroop - I think I've made my way through getting groups defined properly under my main tenant umbrella. I had read through your referenced documentation previously but got hung up somewhere along the process which put me onto this possible separate tenant need to get device specific policies set. Your response helped greatly and pushed me to dig in and review again. So appreciate that.
Previously, I've only manually installed 2 CCA's, both on workstations, up to the point where I stopped further installs in order to get a better understanding of the server installation of CCA.
If you could double-check my config process and answer a question at the end, would appreciate:
- Created a "ClientA Workstations" group and manually moved the previous 2 manual installs into this group.
- Created a "ClientA Servers" group to manage a single 2016 server at this account. I have not installed CCA yet on this server.
- Configured as dynamic group - rule of "Device ID | equals | 10.10.10.10".
- "10.10.10.10" is the IP address of the server that needs snapshots disabled.
- Created a non-inherited threat protection policy linked to "ClientA Servers" group
- Disabled "snapshots" under the "Advanced Settings" section of this "ClientA Servers" group.
When I install the CCA client onto the server, will the installer reference the "DeviceID = 10.10.10.10" rule in the "ClientA Servers" group and disable snapshots as part of the installation? How do I confirm snapshots are not active after the CCA completes installation?
I think that's it at this point. Again, appreciate your time and assistance - B1N
Any other takers on this that may have stepped thru this process before with installing CCA on a server where snapshots need to be disabled?
I would like to run this by someone who's done this before before committing to the installation? Server side only as feel comfortable with pc-side installation...thanks -