Firewall Control and OS Security

SW EDR Firewall Control on Windows

In Windows Security Center, SW EDR Firewall Control is registered in two Network Firewall categories: 

  • NET_FW_RULE_CATEGORY_FIREWALL
  •  NET_FW_RULE_CATEGORY_BOOT

The SW EDR EPP registers as Virus protection.

SW EDR Firewall Control does not register in these categories:

  • NET_FW_RULE_CATEGORY_STEALTH
  • NET_FW_RULE_CATEGORY_CONSEC

Windows Firewall can be registered in the other two categories.

When EDR Network Control is enabled on Windows endpoints, it becomes the active firewall. EDR Network Control takes control but it does not change rules from other firewall solutions on the endpoint.

Rules that were created directly on Windows Firewall will become inactive, even if there are no enabled EDRNetwork Control Firewall rules.

There is a logic, managed by WFP (Windows Filtering Platform), to prioritize all firewall rules on the endpoint. This logic prioritizes all rules, those created by the EDR Agent and by other firewall solutions on the endpoint. EDR Network Control firewall rules for blocking and allowing traffic, are created with highest weight allowed by WFP. If rules created by other firewall solutions have lower weight in WFP, the EDR Network Control firewall rules will have priority.

If endpoints have rules from a GPO or a different firewall solution, these rules might not work if they contradict rules in the Network Control firewall rules configured in the EDR Policy.

From Windows Agent version 4.3, this behavior is configurable. To continue the default behavior where SW EDR Firewall Control Allow rules override lower-weight Blocking rules created by third-party applications, keep the configuration of the parameter firewallControl.allowOverridingUserDefinedPermitFilters set to true.

To configure SW EDR Firewall Control Allow rules to stop overriding lower-weight Blocking rules created by third-party applications, either

  • run the following command:

sentinelctl config firewallControl.allowOverridingUserDefinedPermitFilters false -k "passphrase"

Or add to the following to the Policy Override page:

{

"firewallControl": {

"allowOverridingUserDefinedPermitFilters": false

},

}

These configuration changes do not impact:

  • The behavior for Network Control Firewall Block rules
  • The behavior for Network Control Firewall permanent rules, such as those that allow Management to Agent communication