Settings Inheritance

Applies To: WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

By default, all computers and devices on the Computers > My Organization tab inherit the WatchGuard Endpoint Security default settings assigned to the All group. The default settings that come with your WatchGuard Endpoint Security license protect your network before you create and assign custom security settings profiles.

To see the settings assigned to a computer group:

  1. On the Computers > My Organization tab, next to the group you want to see the settings for, click .
  2. Select Settings.

When you assign new security settings to a subgroup, the new settings replace the default settings for all groups and computers in the subgroup. In large networks, this feature saves you time because the settings automatically apply to many computers and devices.

If you do not want to automatically apply settings to a subgroup or if you want to assign different settings to a specific computer or subgroup, you can manually or directly assign settings.

Manually assigned settings take precedence over inherited settings. When you manually assign a new settings profile to a group, all computers and devices below that group use the manually assigned settings, not the inherited or default ones. For more information on how to manually assign settings, see Assign a Settings Profile.

For examples of how settings inheritance works in WatchGuard Endpoint Security, see Examples of Inheritance Rules.

Overwrite Settings

Changes you make to settings in a higher-level group affect the groups, computers, and devices that inherit the settings differently, based on whether they have existing manually assigned or inherited settings.

Subgroups and Computers with No Manually Assigned Settings

When you change settings in a group that are inherited by subgroups and computers that have no manual settings applied, the new settings automatically apply to all subgroups, computers, and devices in the group.

Subgroups and Computers with Manually Assigned Settings

When you change settings in a group that are inherited by subgroups and computers that have manually assigned settings applied, any subgroups or computers with manually assigned settings do not inherit the new settings, regardless of the level. WatchGuard Endpoint Security prompts you to specify whether to keep the manually assigned settings or inherit the settings.

Screen shot of WatchGuard Endpoint Security, Assign Settings dialog box

Keep All Settings

When you select this option, new settings apply only to groups and computers that do not have manually assigned settings. Existing manual settings are retained and the application of new inherited settings stops at the first group or computer with manually configured settings.

Make All Inherit These Settings

When you select this option, all groups and computers inherit the new settings. WatchGuard Endpoint Security overwrites all manual settings and removes all manually assigned settings below the group.

For information on how to remove manually assigned settings and restore inheritance, see Restore Inheritance.

Move Computers and Groups

If you move a single computer with manually assigned settings, the settings move with the computer to the new location. If you move a computer with inherited settings, the inherited settings in the new location overwrite the currently inherited settings.

For information on how to move computers, see Move Computers from One Group to Another.

When you move a computer group with manually assigned and inherited settings to a new location, you must confirm whether you want to replace the current settings with the inherited settings from the new location.

Screen shot of WatchGuard Endpoint Security Move to dialog box

  • To keep the manually assigned settings and replace the inherited settings with the settings in the new location, click Yes.
  • To keep the manually assigned settings and the inherited settings from the current location, click No. The inherited settings convert to manually assigned settings in the new location.

Active Directory and IP-Based Group Exceptions

If a computer is a member of an Active Directory or IP-based group, you must manually assign network settings. This is because a group membership change made in Active Directory could inadvertently change network settings in the WatchGuard Endpoint Security web UI and leave the WatchGuard endpoint agent installed on the affected computer without connectivity and full protection.

If you move a computer from an Active Directory or IP-based group to another group, it does not automatically inherit the network settings assigned to the target group. To prevent settings changes when a computer changes groups in the web UI because of a group change in Active Directory, you must manually assign network settings.

See Also

Manage Groups

Assign a Settings Profile

Examples of Inheritance Rules

Restore Inheritance