Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Multiple policies active on single server


Is only one policy applied at a time e.g. under Server Protection?
If I adjust the base policy, for example, do I have to adjust the cloned policies as well?
Is it not possible to apply multiple policies to one server?

I expected the exceptions to the copied policies to be inherited.
When customizing the base policy the copied ones are not updated?

Regards Patrick

Edited tags
[edited by: Gladys at 2:18 AM (GMT -7) on 14 Oct 2022]
  • Hello ,

    Thank you for reaching community forum. Yes, Only one policy can be applied for server and endpoint clients, and it’s impossible to enforce two policies simultaneously. 
    When updating a certain policy like base policy. The changes will only apply to the base policy it self and not to the other policies available on your central. 
    When you clone the base policy, what is currently applied to the policy settings is the only setting that will be carried on once you clone the policy. Any additional changes after performing the clone will not going to reflect the cloned policy. So if you wish to apply new settings for your existing server, you need to apply them to the existing policy wich your server is currently using. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • New Idea!

    Allow multiple policies to be applied.  Much like Group Policy Objects in Active Directory, each policy will have it's specific function and they layer on top of each other, the ones applied later taking precedence.

    With regards,

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited

  • Hello David Sain1,

    sorry, but this idea isn't new (as you likely have guessed anyway Slight smile).

    Whether inheritance or multiple assignment it makes things much more complex.
    Take the case of the OP: An exception is added to the base policy, For some reason you do not want that it takes effect on a certain server. For this to work you'd need to be abler to either
    • turn off inheritance in a "later" policy - though you'd have to copy the existing exceptions and have to remember that changes in "earlier" policies no longer apply to this one. Same situation as now
    • specify an opposite for every setting - likely less problems than with inheritance but you still have to check the "later" policies

    Stacking more than two GPOs that affect the same policy is IMO not a really good idea. You can do a lot with AD, GPOs, filters ... - and you can do a lot of nonsense and even harm. Thus in addition to multiple policies you need the equivalent of RSOP. Can be done but ....:
    As protection policies should not be changed frequently or on a regular basis and also kept as few as possible and as close as possible to the recommended settings one policy is arguably the better concept when it comes to products like Central.


  • But an option to merge policies would be nice.
    Now if I want to exclude a process on all clients and servers I have to do this manually on all policies.
    This is very tedious.
    This only gets more tedious the more different policies you have created.

  • Hello ,

    You can use global exclusion if you want to exclude some processes to all of your client's devices and servers. You don't need to add exclusion to each of your policies. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community