Host Firewall

Control communications on your endpoints based on the network location of your device by using the Cortex XDR host firewall
The Cortex XDR host firewall enables you to control communications on your endpoints. To use the host firewall, you set rules that allow or block the traffic on the devices and apply them to your endpoints using Cortex XDR host firewall policy rules. Additionally, you can configure different sets of rules based on the current location of your endpoints - within or outside your organization network. The Cortex XDR host firewall rules leverage the operating system firewall APIs and enforce them on your endpoints.
Before you start applying host firewall policy rules, ensure you meet the following requirements and refer to these known limitations:
  • For Windows:
    • The endpoint is running a Cortex XDR agent 7.1 or later release
    • You can apply Cortex XDR host firewall rules to both incoming and outgoing communication on the endpoint.
  • For Mac:
    • The endpoint is running a Cortex XDR agent 7.2 or later release.
    • You can apply Cortex XDR host firewall rules only to incoming communication on the endpoint.
    • You cannot configure the following Mac host firewall settings with the Cortex XDR host firewall:
      • Automatically allow built-in software to receive incoming connections.
      • Automatically allow downloaded signed software to receive incoming connections.
The Cortex XDR Host firewall is not supported on Linux endpoints.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:

Enable Network Location Configuration

If you want to apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile.
When enabled, Cortex XDR performs the following to determine the endpoint location:
  1. A domain controller (DC) connectivity test to check whether the device is connected to the internal network or not. If the device is connected to the internal network, then it is in the organization. Otherwise, if the DC test failed or returned an external domain, Cortex XDR proceeds to a DNS connectivity test.
  2. In the DNS test, the Cortex XDR agent submits a DNS name that is known only to the internal network. If the DNS returned the pre-configured internal IP, then the device is within the organization. Otherwise, if the DNS IP cannot be resolved, then the device is located outside.
In every heartbeat, and if the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.

Add a New Host Firewall Profile

  1. Log in to Cortex XDR.
    Go to
    Endpoints
    Policy Management
    Extensions Profiles
    and select
    + New Profile
    . Select the
    Platform
    and click
    Host Firewall
    Next
  2. Fill-in the general information for the new profile.
    • Assign a name and an optional description to the profile.
    • By default, host firewall profile rules are based on the current location of your device. Configure two sets of rules: a set of
      External Rules
      that apply when the device is located outside the internal organization network, and a set of
      Internal Rules
      that apply when the device is located within the internal organization network. If you disable the
      Location Based
      option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.
  3. Create host firewall rules.
    For Windows:
    Click
    +New Rule
    . A host firewall rule allows or blocks the communication to and/or from a Windows endpoint. You can fine tune the rule by applying the action to the following parameters:
    host-firewall-new-rule.png
    • Action
      —Select whether to
      Allow
      or
      Block
      the communication on the endpoint.
    • Specific IPs and Ports
      —(
      Optional
      ) Configure the rule for specific local or remote IPs and/or Ports. You can also set a range of IP addresses.
    • Direction
      —Select the direction of the communication this rule applies to:
      • Inbound
        —Communication to the endpoint.
      • Outbound
        —Communication from the endpoint.
      • Both
        —The rule applies to both inbound and outbound communication.
    • Protocol
      —(
      Optional
      ) Select a specific protocol you want this rule to apply to.
    • Path
      —(
      Optional
      ) Enter the full path and name of a program you want the rule to apply to. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change.
    If the profile is location based, you can define both internal and external rules. You can also copy a rule from one set to another.
    For Mac:
    host-firewall-mac.png
    1. Enable Host Firewall Management.
      Enable this option to allow Cortex XDR to manage the host firewall on your Mac endpoints.
    2. Configure the host firewall internal and external settings.
      The host firewall settings allow or block inbound communication on your Mac endpoints. You can fine tune the rule by applying the action to the following parameters:
      • Enable stealth mode
        —Hide your mac endpoint from all TCP and UDP networks by enabling the Apple Stealth mode on your endpoint.
      • Block all incoming connections
        —Select where to block all incoming communications on the endpoint or not.
      • Application exclusions
        —Allow or block specific programs running on the endpoint using Apple BundleID.
      If the profile is location based, you can define both internal and external settings.
  4. Save your profile.
    When you’re done,
    Create
    your host firewall profile.

Apply Host Firewall Profiles to Your Endpoints

After you defined the required host firewall profiles, you must configure the Protection Policies and enforce them on your endpoints. Cortex XDR applies Protection policies on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all communication to and form the endpoint is applied.
  1. Log in to Cortex XDR.
    Go to
    Endpoints
    Policy Management
    Extensions Policy Rules
    +New Policy
    .
  2. Configure settings for the host firewall policy.
    1. Assign a policy name and optional description.
      The platform will automatically be assigned to Windows.
    2. Assign the host firewall profile you want to use in this rule.
    3. If desired, assign
      Device Configuration
      and/or
      Device Exceptions
      and or
      Host Firewall
      profiles. If none are assigned, the default profiles will be applied.
    4. Click
      Next
      .
    5. Select the target endpoints on which to enforce the policy.
      Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
    6. Click
      Done
      .
    Alternatively, you can associate the host firewall profile to an existing policy. Right-click the policy and select
    Edit
    . Select the
    Host Firewall
    profile and click
    Next
    . If needed, you can edit other settings in the rule (such as target endpoints, description, etc.) When you’re done, click
    Done
  3. Configure policy hierarchy.
    Drag and drop the policies in the desired order of execution.
  4. Save
    the policy hierarchy.
    After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies on your environment.

Monitor the Host Firewall Activity on your Endpoint

T to view only the communication events on the endpoint to which the Cortex XDR host firewall rules were applied, you can run the
Cytool firewall show
command.
Additionally, to monitor the communication on your endpoint, you can use the following operating system utilities:
  • Windows
    —Since the Cortex XDR Host Firewall leverages the Microsoft Windows Filtering Platform (WFP), you can use a monitoring tool such as Network Shell (netsh), the Microsoft Windows command-line utility to monitor the network communication on the endpoint.
  • Mac
    —From the endpoint
    System Preferences
    Security and Privacy
    Firewall
    Firewall options
    , you can view the list of blocked and allowed applications in the firewall. The Cortex XDR host firewall blocks only incoming communications on Mac endpoints, still allowing outbound communication initiated from the endpoint.

Recommended For You