Creating and Editing Firewall Rules

Create rules for a specific scope to allow or block network traffic. When you create a rule with tags, all scopes that subscribe to that tag will get the rule.

When you create a rule, it applies to the selected scope of the Management Console:

  • For network traffic to match a rule, all parameters of the rule must match the traffic
  • The default for each parameter is Any, which means that no restrictions are defined.
  • You can create one clean-up rule, with the Action of Allow or Block and with no other parameters defined explicitly. Make this the default rule at the end of your rule list. Traffic that does not match other rules first will match this rule. If you do not have a clean-up rule to match all traffic, the default Firewall Control behavior is to allow traffic that is not explicitly blocked
  • For all other rules, you can leave all parameters as Any, except one parameter that you choose to define explicitly
  • Exception: For Linux endpoints, if you specify a local or remote port, you must also specify a Protocol

Firewall Rule Attributes

Attribute Description
Rule Name A descriptive name of the rule. It must be a different name from other rules in the scope.
Protocol An IP protocol the rule applies to

All standard protocols are supported

Select one protocol from the list. Any - Protocol is not defined
Application Apply the rule to the connections to and from the named Application. The rules only applies to the application if it is in the defined location on the endpoint. Firewall Control does not block the launch of the application, only to its connections.

Enter the full path name, including the application

Any - Protocol is not defined.

Applications are not supported with Linux Agents

Direction Inbound - The rule applies to traffic that is received on an endpoint

Outbound - The rules applies to traffic that leaves an endpoint

Any - The rule applies to inbound and outbound traffic

Optional: Define the Local host

Optional: Define the Remote host
Local host Enter the local IP address or range of addresses for endpoints that the rule applies to. For Inbound traffic, the local host is the destination. For Outbound traffic, the local host is the source. IPv4 or IPv6

Any - Local host is not defined

Address - Enter an IP Address

CIDR - Enter an IP range with CIDR format

Range - Enter an IP Address range start and end
Local port The local port or range of ports that the rule applies to

Any - Local port is not defined

Single string - Enter a port number

Range - Enter a port number range start and end
Remote hosts Define one or more remote hosts as the source for Inbound traffic or the destination for Outbound traffic. IPv4 or IPv6. (Multiple Remote hosts are supported from Houston version)

Any - Remote host is not defined

FQDN - Enter a hostname in FQDN format, for example, www. webserver.org or mailserver. example.com (Not supported for Linux)

Address - Enter an IP Address

CIDR - Enter an IP range in CIDR notation

Range - Enter an IP Address range start and end.

FQDN Remote Hosts are not supported with Linux Agents

Remote port The remote port or range of ports that the rule applies to

Any - Remote port is not defined

Single string - Enter a port number

Range - Enter a port number range start and end

For Linux, if you specify a port, you must also specify a Protocol in the rule.

Locations Add one or more locations from Settings > Locations to make the rule apply only in specific locations

Uncheck the All option to select one or more specific Locations for the rule

From version Liberty, all location values in the rule apply. The feature cannot be disabled.

Locations are not supported with Linux Agents.

Action Define if Agents Block or Allow IP packets that match the rule parameters.
Status State of the rule:

Enabled - Active if Firewall Control is enabled

Disabled - Not active

Note: Some processes, such as PowerBI, VMware Remote Console (VMRC), and Webex, require use of the loopback IP address (127.0.0.1), also referred to as the localhost.

If you have an application that requires loopback connectivity, create an Allow rule for the loopback addresses (127.0.0.1 / :1) that is above rules that block this traffic.

Rule Creation

To create a rule:

  1. Open the EDR Policy where a rule is to be added
  2. Navigate to the Network Control tab
  3. Click New rule
  4. In the New Rule dialog that opens, enter the details of the rule:
    • Rule name - Enter a descriptive name for the rule. The rule name must be different from other rule names in the scope
    • OS Type - Select one or more OS for the rule: Windows, macOS, or Linux
    • Tag - Optional: Select one or more existing tags or enter a new tag to divide up your catalog of rules into different firewall policies. See Managing Firewall Rules with Tags
    • The tags that existed in versions before Liberty, which were used as labels for searching, are now part of the Description

    • Description - Optional: Enter text to describe the purpose of the rule or other important information related to the rule
    • scope - This is taken automatically from the currently selected EDR Policy
    • Action - Select Allow or Block to define if Agents block or allow network traffic that matches the rule parameters
  5. Click Continue
  6. In the window that opens, define the parameters of the rule
    • Click + to expand each parameter.
    • Click Close to minimize a parameter.
    • Press 'Tab' to move to the next parameter.

    Parameters that are not explicitly defined are set to the default value, which is Any.

  7. By default, a rule is NOT active until you enable it. Click Enable rule immediately after saving to create the rule in Enabled state
  8. Click Save

Enable or Disable a rule

If a rule is Disabled, it is never active but shows in the policy with the Disabled Status.

If a rule is Enabled, it is active if Firewall Control is enabled. If Firewall Control is disabled for the rule's scope, the rule keeps the Status Enabled but is not active. It will become active automatically if Firewall Control is enabled.

To enable or disable a rule:

  1. Edit the Policy where a rule is to be enabled or disabled
  2. Navigate to the Network Control tab
  3. Select one or more rules
  4. Click Actions and select Enable or Disable
    •  

Edit a Rule

To edit a rule:

  1. Edit the Policy where a rule is to be enabled or disabled
  2. Navigate to the Network Control tab
  3. Click a rule
  4. In the Rule Details window, click Edit
  5. Make changes in the Rule Details, or click Continue to open the next page of the Rule Details and change the rule parameters
  6. Click Save changes