Host Firewall for Windows

Control communications on your endpoints based on the network location of your device by using the Cortex® XDR™ host firewall.
Enforce the Cortex XDR host firewall policy in your organization to control communications on your endpoints and gain visibility into your network connections. The host firewall policy consists of unique rules groups that are enforced hierarchically and can be reused across all host firewall profiles. The Cortex XDR host firewall rules are integrated with the Windows Security Center and leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your operating system firewall settings. Once you deploy the host firewall, use the
Host Firewall Events
table to track the enforcement events in your organization.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:
  • Ensure you meet the host firewall requirements and prerequisites.
  • Create rule(s) within rule groups
    —Create host firewall rules groups that you can reuse across all host firewall profiles. Add rules to each group and prioritize the rules from top to bottom to create an enforcement hierarchy.
  • Configure a profile
    —Select one or more rules groups into a host firewall enforcement profile that you later associate with an enforcement policy. The profile can enforce different rules when the endpoint is located within the organization’s internal network, and when it is outside. Prioritize the groups within the profile from top to bottom to create an enforcement hierarchy.
  • Configure a policy
    —Add your host firewall profile to a new or existing policy that will be enforced on selected target endpoints.
  • Monitor and troubleshoot
    —View aggregated host firewall enforcement events, or all single host firewall activities the agent performed in your network. Cortex XDR Pro customers can also query the host firewall events using the new
    host_firewall_events
    dataset in XQL Search for data and network analysis.

Migration and Backwards Supportability

Host firewall is supported with Cortex XDR agents 7.1 or a later release. Starting with Cortex XDR 3.0 and Cortex XDR agent 7.5, new capabilities were added. Your existing host firewall rules and policies are migrated as follows:
  • Any existing host firewall profile in Cortex XDR 2.9 is converted into a single rules group in Cortex XDR 3.0 and located on the
    Host Firewall Rules Groups
    page.
  • If the existing profile contains both internal and external rules, then two groups are created: an external rules group and an internal rules group, and the rule name is added an internal/external suffix respectively. For example, internal
    rule-x
    is renamed as
    rule-x-internal
  • Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR agents 7.5 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule from Cortex XDR 3.0, or edit an already existing rule that was created in an old Cortex XDR release and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.
    As a result, all migrated rules are set not to report matching traffic by default and enforcement events are not included in the
    Host Firewall Events
    table.

Set Up the Host Firewall

Set up your rule groups and host firewall profile.

Create a Rules Group

Group rules into Rules Groups that you can reuse across all host firewall profiles. A host firewall group includes one or more host firewall unique rules. The rules are enforced according to their order of appearance within the group, from top to bottom. After you create a rules group, you can assign the group to a host firewall profile. When you edit, re-prioritize, disable, or delete a rule from a group, the change takes effect in all policies where this group is included. To support this scalability and structure, every rule in Cortex XDR is assigned a unique ID and must be contained within a group. Additionally, you can import existing firewall rules into Cortex XDR, or export them in JSON format.
  1. Create a group.
    From
    Endpoints
    Host Firewall
    Host Firewall Rules Groups
    , click
    +New Group
    on the upper bar.
  2. Fill-in general information.
    Enter the rule name and optional description. To enforce the rules within the group in all policies they are associated with,
    Enable
    the group. When
    Disabled
    , the group exists but is not enforced.
  3. Create rules within the rules group.
    Create rules within rules groups to allow or block traffic on the endpoint. Use a variety of parameters to fine tune your policy such as specific protocols, applications, services, and more. For every group, you need to create its own list of rules. Each rule is assigned a unique ID and can be associated with a single group only.
    • A rule is always part of a rules group. It cannot stand on its own.
    • A rule can belong to one rules group only and cannot be reused in different groups.
    1. Configure rule settings.
      A host firewall rule allows or blocks the communication to and/or from an endpoint. Enter the rule
      Name
      , optional
      Description
      , and select the
      Platforms
      you want to associate the rule with.
      Fine tune the rule by applying the action to the following parameters:
      • Protocol
        —Select any of the 256 internet protocols:
        • Any
        • Custom
        • TCP
        • UDP
        • ICMPv4
        • ICMPv6
        Once you select one of the available protocols or enter the protocol number, you will be able to specify additional parameters per protocol as needed. For example, for TCP(6) you can set local and remote ports, whereas for ICMPv4(1) you can add the ICMP type and code.
        When selecting ICMP protocol, you must enter a the ICMP Type and Code. Without these values the ICMP protocol is ignored by the Windows and macOS Cortex XDR agents.
      • Direction
        —Select the direction of the communication this rule applies to:
        Inbound
        communication to the endpoint,
        Outbound
        communication from the endpoint, or
        Both
        .
      • Action
        —Select whether the rule action is to
        Allow
        or
        Block
        the communication on the endpoint.
      • Local/Remote IP Address
        —Configure the rule for specific local or remote IP addresses s and/or Ports. You can set a single IP address, multiple IP addresses separated by a comma, range of IP addresses separated by a hyphen, or a combination of these options.
      • Depending on the type of platform you selected, define the
        Application
        ,
        Service
        , and
        Bundle IDs
        of the
        Windows Settings
        and/or
        macOS Settings
        —Configure the rule for all applications/services or specific ones only by entering the full path and name. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change.
      • Report Matched Traffic
        —When
        Enabled
        , enforcement events captured by this rule are reported periodically to Cortex XDR and displayed in the
        Host Firewall Events
        table, whether the rule is set to Allow or Block the traffic. When
        Disabled
        , the rule is applied but enforcement events are not reported periodically.
    2. Save rule.
      After you fill-in all the details, you need to save the rule. If you know you need to create a similar rule, click
      Create another
      to save this rule and leave the specified parameters available for edit for the next rule. Otherwise, to save the rule and exit, click
      Create
      .
  4. Prioritize rules.
    The rules within the group are enforced by priority from top to bottom. By default, every new rule is added to the top of the already existing rules in the group, meaning it is assigned the highest priority and will be enforced first. To change the rules priority and order of enforcement within the group, click the rule priority number and drag the rule up or down the table to the proper row. Repeat this process to prioritize all the rules.
  5. Save.
    When you are done, click
    Create
    . The new rules group is created and can be associated with a host firewall profile.

Manage Rules Groups

After you create a group, you can perform additional actions. From
Endpoints
Host Firewall
Host Firewall Rules Groups
, click a group:
  • View group data
    —From the
    Host Firewall Rules Groups
    table you can view details about all the existing rules groups in your organization. The table lists high level information about the group such as name, mode, and number of rules included. To view all rules within a group and all the profiles the group is accosted with, click the expand icon.
  • Edit group
    —Right click the group and
    Edit
    its settings.
  • Delete/Disable
    —To stop enforcing the rules within this group, right-click the group and
    Delete/Disable
    it. On the next heartbeat, its rule will be removed/disabled from all profiles this group is associated with.
  • Import/Export group rules
    —Using a JSON file, you can import rules into the Cortex XDR host firewall or export them. Right-click the rule and
    Import/Export
    .

Manage Rules

After you create a host firewall rule and assign it to a rules group, you can manage the rule settings and enforcement as follows:
  • View/Edit
    —Right-click the rule to view it or edit its parameters.
  • Change priority
    —Change the rule priority within the group by dragging its row up and down the rules list.
  • Delete/Disable
    —To stop enforcing the rule, you can right-click the rule and
    Delete/Disable
    it. On the next heartbeat, the rule will be removed/disabled in all profiles where this rules group is included.

Create a Host Firewall Profile

Configure host firewall profiles that contain one or more rules groups. The groups are enforced according to their order of appearance within the profile, from top to bottom (and within each group, the rules are also enforced from top to bottom). You can also configure profiles based on the device location within your internal network. When you edit, re-prioritize, disable, or delete a rules group from a profile, the change takes effect on the next heartbeat in all policies where this profile is included.
  1. Create a profile.
    From
    Endpoints
    Policy Management
    Extensions Profile
    , click +New Profile. Select the platform and click
    Host Firewall
    Next.
  2. Fill-in
    General Information
    .
    Enter the profile name and optional description.
  3. Configure
    Report Settings
    .
    When the profile operates in report mode, Cortex XDR overrides all rules set to
    Block
    traffic. Instead, the traffic is allowed to go through, and the enforcement event is reported as
    Override Block
    . You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.
  4. Configure Internal and External Rule Groups.
    To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled, Cortex XDR enforces the host firewall rules based on the current location of the device within the internal organization network (
    Internal Rules
    ), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (
    External Rules
    ). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.
    Create a New Ruleor add a rules group to the
    Internal/External Groups
    :
    1. Click
      +Add Group
      .
    2. Select one or more groups, and click
      Add
      .
      To quickly apply the exact same rules in both cases, select
      Add as external/internal
      rules groups as well.
    3. Review the rule group field details.
      The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.
      Field
      Description
      Applicable Rules Count
      Displays the number of rules in the specific group that are associated with the platform profile.
      Created by
      Displays the email address of the user that created the rule.
      Creation Time
      Date and time of when the rule was created.
      Description
      Description of the rule, if available.
      Group ID
      Unique rules group ID.
      Group Name
      Name of the group rules group.
      Mode
      Displays whether the rules group is enabled or not.
      Modified by
      Displays the email address of the last user that made changes to the group.
      Modification Time
      Date and time of when the group was modified.
    4. (
      Optional
      ) Select
      View Rules
      to view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.
    5. Allow
      or
      Block
      the
      Default Action for Inbound/Outbound Traffic
      in the profile if you want to allow all network connections that have not been matched to any other rule in the profile.
  5. Save the profile.
    When you are done, click
    Create
    . You can now configure a host firewall policy.

Manage Profiles

After you create the host firewall extensions profile, you can perform additional actions. The changes take effect on the next heartbeat. From
Endpoints
Policy Management
Extension Policies
, you can:
  • Edit profile
    —Right-click the profile and
    Edit
    . Change the profile settings and
    Save
    . The change takes effect in all policies enforcing this profile.
  • Delete profile
    —Right-click the profile and
    Delete
    . The profile is deleted from all policies it was associated with, while the rules groups are not deleted and are still available in Cortex XDR.

Create a Host Firewall Policy

After you define the required host firewall profiles, configure host firewall policies that will be enforced on your target endpoints. You can associate the profile with an existing policy, or create a new one.
  1. Create a policy.
    From
    Endpoints
    Policy Management
    Extensions
    Policy Rules
    , click
    +New Policy
  2. Fill-in general information.
    Enter the policy name, description, and platform. Click
    Next
    .
  3. Select profile.
    Select the desired profile for host firewall from the drop-down list, and any other profiles you want to include in this policy. Click
    Next
    .
  4. Select endpoints.
    Select the target endpoints on which to enforce the policy. Use filters or manual endpoint selection to define the exact target endpoints of the policy. Click
    Done
    .
  5. Configure policy hierarchy.
    Drag and drop the policies in the desired order of execution, from top to bottom.
  6. Save the policy.
    After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies in your environment.

Monitor Host Firewall Activity in Your Network

The
Host Firewall Events
table provides an aggregated view of the host firewall enforcement events in your network. An enforcement event represents the number of rule hits per endpoint in 60 minutes.
  • The data is aggregated and reported periodically every 60 minutes since the first time the host firewall policy was enforced on the endpoint, not every round hour.
  • The table lists enforcement events only for rules set to
    Report Matching Traffic
    .
Every enforcement event includes additional data such as the time of the first rule hit, the rule action, protocol, and more.

Collect Detailed Log Files

To gain deeper visibility into all the host firewall activity that occurred on an endpoint, you can retrieve a log file listing all single actions the agent performed for all rules (whether set to
Report Matched Traffic
or not). The logs are stored in a cyclic 50MB file on the endpoint, which is constantly being re-written and overriding older logs. When you upload the file, the logs are loaded to the
Host Firewall Events
table. You can filter the table using the
Event Source
field to view only the aggregated periodic logs, or only non-aggregated on-demand logs.
To collect the log file, right-click the event containing the endpoint you are interested in and select
Collect Detailed Host Firewall Logs
. Alternatively, you can perform this action for multiple endpoints from
Endpoints Administration
.

Recommended For You