I would still like to know what the big difference in handling firewall rules is between V3 and V4.
[at]languy99: Are you sure about that difference? You weren't right about where the config is stored, so may I ask you what precisely the difference is that makes rules much easier now?
It depends how you use CIS 4, [Edit: and mostly affects Defense plus
If you switch the sandbox on, you'll mostly either leave files in the sandbox, make them safe, or they will be automatically declared safe. Both 'states' (safe and sandboxed) have 'one size fits all' fixed policies. You'll only end up making CSP rules for the exceptions, and most of these will be to declare files as 'installer-updaters' - also a fixed policy in V4. You won't make many customised rules via alerts because the sandbox will suppress the alerts. Compare this with v3 - most files ended up with customised rules due to answers to alerts, and all the policies were themselves customisable.
So its probably best to say that 'rule complexity' will be reduced if you use v4 as intended.
If you import [Defense plus] rules from v3, then you have two sets of rules working in different ways - the sandbox-related fixed policies and the v3 variable policies and customised rules. Working out the 'resultant set of policy' as M$ would have it, will be a challenge & and the greater total number of rules, policies and policy instatiations that will result will probably slow things down (which was Chiron's point).
Incidentally there is no documentation of what over-rides what in terms of Defense plus/sandbox fixed policies and variable rules & policies. I have asked for feedback from the devs on this but have still to receive it. Anyone who wants to experiment, please tell me what happens! (I will ask again today!).
What have I done re Defense plus and the sandbox? Pretty much what Chiron recommends. Clean install, no import, Proactive security. Sandbox on, for a quieter life once you get over a few files that don't want to be un-sandboxed. This latter may take a bit of work. Everything I know to be safe and which isn't auto-detected goes into My Safe Files. I don't use the CSP hardly at all, except for the few files that need unlimited access and are not automatically detected by CIS4. These go in the CSP as installer-updaters.
(NB I have a very complex software installation!)
Basically this is working with the grain of CIS4, not trying to turn it back into v3. It gives pretty high security with low to medium hassle, and will be even better when the sandbox is mature.
For the greatest possible security you can turn CIS4 into a more secure version of V3. Sandbox off, paranoid mode etc etc.
Hope this helps