Host Firewall for Windows
Control communications on your endpoints based on the
network location of your device by using the Cortex XDR host firewall.
Enforce
the
Cortex
XDR
host firewall
policy in your organization to control communications on your endpoints
and gain visibility into your network connections. The host firewall
policy consists of unique rules groups that are enforced hierarchically
and can be reused across all host firewall profiles. The Cortex
XDR
host firewall rules are integrated
with the Windows Security Center and leverage the operating system firewall
APIs and enforce these rules on your endpoints, but not your operating
system firewall settings. Once you deploy the host firewall, use
the Host Firewall Events
table to track the
enforcement events in your organization.To configure the
Cortex
XDR
host firewall in your network,
follow this high-level workflow:- Ensure you meet the host firewall requirements and prerequisites.
- Create rule(s) within rule groups—Create host firewall rules groups that you can reuse across all host firewall profiles. Add rules to each group and prioritize the rules from top to bottom to create an enforcement hierarchy.
- Configure a profile—Select one or more rules groups into a host firewall enforcement profile that you later associate with an enforcement policy. The profile can enforce different rules when the endpoint is located within the organization’s internal network, and when it is outside. Prioritize the groups within the profile from top to bottom to create an enforcement hierarchy.
- Configure a policy—Add your host firewall profile to a new or existing policy that will be enforced on selected target endpoints.
- Monitor and troubleshoot—View aggregated host firewall enforcement events, or all single host firewall activities the agent performed in your network.CortexXDRPro customers can also query the host firewall events using the newhost_firewall_eventsdataset in XQL Search for data and network analysis.
Migration and Backwards Supportability
Host firewall is supported with
Cortex
XDR
agents 7.1 or a later release. Starting with Cortex
XDR
3.0 and Cortex
XDR
agent 7.5, new capabilities were added. Your existing
host firewall rules and policies are migrated as follows:- Any existing host firewall profile inCortexXDR2.9 is converted into a single rules group inCortexXDR3.0 and located on theHost Firewall Rules Groupspage.
- If the existing profile contains both internal and external rules, then two groups are created: an external rules group and an internal rules group, and the rule name is added an internal/external suffix respectively. For example, internalrule-xis renamed asrule-x-internal
- CortexXDR3.0 host firewall includes new features which are supported only withCortexXDRagents 7.5 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule fromCortexXDR3.0, or edit an already existing rule that was created in an oldCortexXDRrelease and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.As a result, all migrated rules are set not to report matching traffic by default and enforcement events are not included in theHost Firewall Eventstable.
Set Up the Host Firewall
Set up
your rule groups and host firewall profile.
Create a Rules Group
Group
rules into Rules Groups that you can reuse across all host firewall
profiles. A host firewall group includes one or more host firewall unique
rules. The rules are enforced according to their order of appearance
within the group, from top to bottom. After you create a rules group,
you can assign the group to a host firewall profile. When you edit,
re-prioritize, disable, or delete a rule from a group, the change
takes effect in all policies where this group is included. To support
this scalability and structure, every rule in
Cortex
XDR
is assigned a unique ID and must be
contained within a group. Additionally, you can import existing
firewall rules into Cortex
XDR
,
or export them in JSON format.- Create a group.From, clickEndpointsHost FirewallHost Firewall Rules Groups+New Groupon the upper bar.
- Fill-in general information.Enter the rule name and optional description. To enforce the rules within the group in all policies they are associated with,Enablethe group. WhenDisabled, the group exists but is not enforced.
- Create rules within the rules group.Create rules within rules groups to allow or block traffic on the endpoint. Use a variety of parameters to fine tune your policy such as specific protocols, applications, services, and more. For every group, you need to create its own list of rules. Each rule is assigned a unique ID and can be associated with a single group only.
- A rule is always part of a rules group. It cannot stand on its own.
- A rule can belong to one rules group only and cannot be reused in different groups.
- Configure rule settings.A host firewall rule allows or blocks the communication to and/or from an endpoint. Enter the ruleName, optionalDescription, and select thePlatformsyou want to associate the rule with.Fine tune the rule by applying the action to the following parameters:
- Protocol—Select any of the 256 internet protocols:
- Any
- Custom
- TCP
- UDP
- ICMPv4
- ICMPv6
Once you select one of the available protocols or enter the protocol number, you will be able to specify additional parameters per protocol as needed. For example, for TCP(6) you can set local and remote ports, whereas for ICMPv4(1) you can add the ICMP type and code.When selecting ICMP protocol, you must enter a the ICMP Type and Code. Without these values the ICMP protocol is ignored by the Windows and macOSCortexXDRagents. - Direction—Select the direction of the communication this rule applies to:Inboundcommunication to the endpoint,Outboundcommunication from the endpoint, orBoth.
- Action—Select whether the rule action is toAlloworBlockthe communication on the endpoint.
- Local/Remote IP Address—Configure the rule for specific local or remote IP addresses s and/or Ports. You can set a single IP address, multiple IP addresses separated by a comma, range of IP addresses separated by a hyphen, or a combination of these options.
- Depending on the type of platform you selected, define theApplication,Service, andBundle IDsof theWindows Settingsand/ormacOS Settings—Configure the rule for all applications/services or specific ones only by entering the full path and name. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change.
- Report Matched Traffic—WhenEnabled, enforcement events captured by this rule are reported periodically toCortexXDRand displayed in theHost Firewall Eventstable, whether the rule is set to Allow or Block the traffic. WhenDisabled, the rule is applied but enforcement events are not reported periodically.
- Save rule.After you fill-in all the details, you need to save the rule. If you know you need to create a similar rule, clickCreate anotherto save this rule and leave the specified parameters available for edit for the next rule. Otherwise, to save the rule and exit, clickCreate.
- Prioritize rules.The rules within the group are enforced by priority from top to bottom. By default, every new rule is added to the top of the already existing rules in the group, meaning it is assigned the highest priority and will be enforced first. To change the rules priority and order of enforcement within the group, click the rule priority number and drag the rule up or down the table to the proper row. Repeat this process to prioritize all the rules.
- Save.When you are done, clickCreate. The new rules group is created and can be associated with a host firewall profile.
Manage Rules Groups
After
you create a group, you can perform additional actions. From ,
click a group:
Endpoints
Host Firewall
Host Firewall Rules Groups
- View group data—From theHost Firewall Rules Groupstable you can view details about all the existing rules groups in your organization. The table lists high level information about the group such as name, mode, and number of rules included. To view all rules within a group and all the profiles the group is associated with, click the expand icon.
- Edit group—Right click the group andEditits settings.
- Delete/Disable—To stop enforcing the rules within this group, right-click the group andDelete/Disableit. On the next heartbeat, its rule will be removed/disabled from all profiles this group is associated with.
- Import/Export group rules—Using a JSON file, you can import rules into theCortexXDRhost firewall or export them. Right-click the rule andImport/Export.
Manage Rules
After
you create a host firewall rule and assign it to a rules group,
you can manage the rule settings and enforcement as follows:
- View/Edit—Right-click the rule to view it or edit its parameters.
- Change priority—Change the rule priority within the group by dragging its row up and down the rules list.
- Delete/Disable—To stop enforcing the rule, you can right-click the rule andDelete/Disableit. On the next heartbeat, the rule will be removed/disabled in all profiles where this rules group is included.
Create a Host Firewall Profile
Configure
host firewall profiles that contain one or more rules groups. The
groups are enforced according to their order of appearance within the
profile, from top to bottom (and within each group, the rules are
also enforced from top to bottom). You can also configure profiles
based on the device location within your internal network. When
you edit, re-prioritize, disable, or delete a rules group from a
profile, the change takes effect on the next heartbeat in all policies where
this profile is included.
- Create a profile.Fromand selectEndpointsPolicy ManagementExtensions+ Add ProfileorImport from File.
- Select the platform and clickHost FirewallNext.
- Fill-inGeneral Information.Enter the profile name and optional description.
- ConfigureReport Settings.When the profile operates in report mode,CortexXDRoverrides all rules set toBlocktraffic. Instead, the traffic is allowed to go through, and the enforcement event is reported asOverride Block. You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.
- Configure Internal and External Rule Groups.To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled,CortexXDRenforces the host firewall rules based on the current location of the device within the internal organization network (Internal Rules), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (External Rules). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.Create a New Ruleor add a rules group to theInternal/External Groups:
- Click+Add Group.
- Select one or more groups, and clickAdd.To quickly apply the exact same rules in both cases, selectAdd as external/internalrules groups as well.
- Review the rule group field details.The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.FieldDescriptionApplicable Rules CountDisplays the number of rules in the specific group that are associated with the platform profile.Created byDisplays the email address of the user that created the rule.Creation TimeDate and time of when the rule was created.DescriptionDescription of the rule, if available.Group IDUnique rules group ID.Group NameName of the group rules group.ModeDisplays whether the rules group is enabled or not.Modified byDisplays the email address of the last user that made changes to the group.Modification TimeDate and time of when the group was modified.
- (Optional) SelectView Rulesto view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.
- AlloworBlocktheDefault Action for Inbound/Outbound Trafficin the profile if you want to allow all network connections that have not been matched to any other rule in the profile.
- Save the profile.When you are done, clickCreate. You can now configure a host firewall policy.
Manage Policy Rules
After
you create the host firewall extensions profile, you can perform
additional actions. The changes take effect on the next heartbeat.
From ,
right-click to:
Endpoints
Policy
Management
Extensions
Policy Rules
- Edit— Change the profile settings andSave. The change takes effect in all policies enforcing this profile.
- Delete—The profile is deleted from all policies it was associated with, while the rules groups are not deleted and are still available inCortexXDR.
- Save As New—Duplicate the profile, edit, and save as new.
- Export Profile—Select one ore more policies, right-click and selectExport Policies. You can choose to include the associatedPolicy Targets,Global Exceptions, and endpoint groups.
Create a Host Firewall Policy
After
you define the required host firewall profiles, configure host firewall
policies that will be enforced on your target endpoints. You can associate
the profile with an existing policy, or create a new one.
- Create a policy.From, clickEndpointsPolicy ManagementExtensionsPolicy Rules+New PolicyorImport from File.When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows:
- New rules are added to top of the list.
- Default rules override the default rule in the target tenant.
- Rules without a defined target are disabled until target is specified.
- Fill-in general information.Enter the policy name, description, and platform. ClickNext.
- Select profile.Select the desired profile for host firewall from the drop-down list, and any other profiles you want to include in this policy. ClickNext.
- Select endpoints.Select the target endpoints on which to enforce the policy. Use filters or manual endpoint selection to define the exact target endpoints of the policy. ClickDone.
- Configure policy hierarchy.Drag and drop the policies in the desired order of execution, from top to bottom.
- Save the policy.After the policy is saved and applied to the agents,CortexXDRenforces the host firewall policies in your environment.
Monitor Host Firewall Activity in Your Network
The
Host
Firewall Events
table provides an aggregated view of
the host firewall enforcement events in your network. An enforcement
event represents the number of rule hits per endpoint in 60 minutes. - The data is aggregated and reported periodically every 60 minutes since the first time the host firewall policy was enforced on the endpoint, not every round hour.
- The table lists enforcement events only for rules set toReport Matching Traffic.
Every enforcement event includes additional data such as the
time of the first rule hit, the rule action, protocol, and more.
Collect Detailed Log Files
To
gain deeper visibility into all the host firewall activity that
occurred on an endpoint, you can retrieve a log file listing all
single actions the agent performed for all rules (whether set to
Report
Matched Traffic
or not). The logs are stored in a cyclic
50MB file on the endpoint, which is constantly being re-written
and overriding older logs. When you upload the file, the logs are
loaded to the Host Firewall Events
table.
You can filter the table using the Event Source
field
to view only the aggregated periodic logs, or only non-aggregated
on-demand logs.To collect the log file, right-click the event
containing the endpoint you are interested in and select
Collect
Detailed Host Firewall Logs
. Alternatively, you can
perform this action for multiple endpoints from Endpoints
Administration
.Recommended For You
Recommended Videos
Recommended videos not found.
