Host Firewall for Windows
Control communications on your endpoints based on the network location of your device by using the Cortex® XDR™ host firewall.
Enforce the Cortex XDR host firewall policy in your organization to control communications on your endpoints and gain visibility into your network connections. The host firewall policy consists of unique rules groups that are enforced hierarchically and can be reused across all host firewall profiles. The Cortex XDR host firewall rules are integrated with the Windows Security Center and leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your operating system firewall settings. Once you deploy the host firewall, use the
Host Firewall Eventstable to track the enforcement events in your organization.
To configure the Cortex XDR host firewall in your network, follow this high-level workflow:
- Create rule(s) within rule groups—Create host firewall rules groups that you can reuse across all host firewall profiles. Add rules to each group and prioritize the rules from top to bottom to create an enforcement hierarchy.
- Configure a profile—Select one or more rules groups into a host firewall enforcement profile that you later associate with an enforcement policy. The profile can enforce different rules when the endpoint is located within the organization’s internal network, and when it is outside. Prioritize the groups within the profile from top to bottom to create an enforcement hierarchy.
- Configure a policy—Add your host firewall profile to a new or existing policy that will be enforced on selected target endpoints.
- Monitor and troubleshoot—View aggregated host firewall enforcement events, or all single host firewall activities the agent performed in your network. Cortex XDR Pro customers can also query the host firewall events using the newhost_firewall_eventsdataset in XQL Search for data and network analysis.
Migration and Backwards Supportability
Host firewall is supported with Cortex XDR agents 7.1 or a later release. Starting with Cortex XDR 3.0 and Cortex XDR agent 7.5, new capabilities were added. Your existing host firewall rules and policies are migrated as follows:
- Any existing host firewall profile in Cortex XDR 2.9 is converted into a single rules group in Cortex XDR 3.0 and located on theHost Firewall Rules Groupspage.
- If the existing profile contains both internal and external rules, then two groups are created: an external rules group and an internal rules group, and the rule name is added an internal/external suffix respectively. For example, internalrule-xis renamed asrule-x-internal
- Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR agents 7.5 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule from Cortex XDR 3.0, or edit an already existing rule that was created in an old Cortex XDR release and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.As a result, all migrated rules are set not to report matching traffic by default and enforcement events are not included in theHost Firewall Eventstable.
Set Up the Host Firewall
Set up your rule groups and host firewall profile.
Create a Rules Group
Group rules into Rules Groups that you can reuse across all host firewall profiles. A host firewall group includes one or more host firewall unique rules. The rules are enforced according to their order of appearance within the group, from top to bottom. After you create a rules group, you can assign the group to a host firewall profile. When you edit, re-prioritize, disable, or delete a rule from a group, the change takes effect in all policies where this group is included. To support this scalability and structure, every rule in Cortex XDR is assigned a unique ID and must be contained within a group. Additionally, you can import existing firewall rules into Cortex XDR, or export them in JSON format.
- Create a group.From, clickEndpointsHost FirewallHost Firewall Rules Groups+New Groupon the upper bar.
- Fill-in general information.Enter the rule name and optional description. To enforce the rules within the group in all policies they are associated with,Enablethe group. WhenDisabled, the group exists but is not enforced.
- Create rules within the rules group.Create rules within rules groups to allow or block traffic on the endpoint. Use a variety of parameters to fine tune your policy such as specific protocols, applications, services, and more. For every group, you need to create its own list of rules. Each rule is assigned a unique ID and can be associated with a single group only.
- A rule is always part of a rules group. It cannot stand on its own.
- A rule can belong to one rules group only and cannot be reused in different groups.
- Configure rule settings.A host firewall rule allows or blocks the communication to and/or from an endpoint. Enter the ruleName, optionalDescription, and select thePlatformsyou want to associate the rule with.Fine tune the rule by applying the action to the following parameters:
- Protocol—Select any of the 256 internet protocols:
Once you select one of the available protocols or enter the protocol number, you will be able to specify additional parameters per protocol as needed. For example, for TCP(6) you can set local and remote ports, whereas for ICMPv4(1) you can add the ICMP type and code.When selecting ICMP protocol, you must enter a the ICMP Type and Code. Without these values the ICMP protocol is ignored by the Windows and macOS Cortex XDR agents.
- Direction—Select the direction of the communication this rule applies to:Inboundcommunication to the endpoint,Outboundcommunication from the endpoint, orBoth.
- Action—Select whether the rule action is toAlloworBlockthe communication on the endpoint.
- Local/Remote IP Address—Configure the rule for specific local or remote IP addresses s and/or Ports. You can set a single IP address, multiple IP addresses separated by a comma, range of IP addresses separated by a hyphen, or a combination of these options.
- Depending on the type of platform you selected, define theApplication,Service, andBundle IDsof theWindows Settingsand/ormacOS Settings—Configure the rule for all applications/services or specific ones only by entering the full path and name. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change.
- Report Matched Traffic—WhenEnabled, enforcement events captured by this rule are reported periodically to Cortex XDR and displayed in theHost Firewall Eventstable, whether the rule is set to Allow or Block the traffic. WhenDisabled, the rule is applied but enforcement events are not reported periodically.
- Save rule.After you fill-in all the details, you need to save the rule. If you know you need to create a similar rule, clickCreate anotherto save this rule and leave the specified parameters available for edit for the next rule. Otherwise, to save the rule and exit, clickCreate.
- Prioritize rules.The rules within the group are enforced by priority from top to bottom. By default, every new rule is added to the top of the already existing rules in the group, meaning it is assigned the highest priority and will be enforced first. To change the rules priority and order of enforcement within the group, click the rule priority number and drag the rule up or down the table to the proper row. Repeat this process to prioritize all the rules.
- Save.When you are done, clickCreate. The new rules group is created and can be associated with a host firewall profile.
Manage Rules Groups
After you create a group, you can perform additional actions. From
, click a group:
Host Firewall Rules Groups
- View group data—From theHost Firewall Rules Groupstable you can view details about all the existing rules groups in your organization. The table lists high level information about the group such as name, mode, and number of rules included. To view all rules within a group and all the profiles the group is accosted with, click the expand icon.
- Edit group—Right click the group andEditits settings.
- Delete/Disable—To stop enforcing the rules within this group, right-click the group andDelete/Disableit. On the next heartbeat, its rule will be removed/disabled from all profiles this group is associated with.
- Import/Export group rules—Using a JSON file, you can import rules into the Cortex XDR host firewall or export them. Right-click the rule andImport/Export.
After you create a host firewall rule and assign it to a rules group, you can manage the rule settings and enforcement as follows:
- View/Edit—Right-click the rule to view it or edit its parameters.
- Change priority—Change the rule priority within the group by dragging its row up and down the rules list.
- Delete/Disable—To stop enforcing the rule, you can right-click the rule andDelete/Disableit. On the next heartbeat, the rule will be removed/disabled in all profiles where this rules group is included.
Create a Host Firewall Profile
Configure host firewall profiles that contain one or more rules groups. The groups are enforced according to their order of appearance within the profile, from top to bottom (and within each group, the rules are also enforced from top to bottom). You can also configure profiles based on the device location within your internal network. When you edit, re-prioritize, disable, or delete a rules group from a profile, the change takes effect on the next heartbeat in all policies where this profile is included.
- Create a profile.From, click +New Profile. Select the platform and clickEndpointsPolicy ManagementExtensions ProfileHost FirewallNext.
- Fill-inGeneral Information.Enter the profile name and optional description.
- ConfigureReport Settings.When the profile operates in report mode, Cortex XDR overrides all rules set toBlocktraffic. Instead, the traffic is allowed to go through, and the enforcement event is reported asOverride Block. You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.
- Configure Internal and External Rule Groups.To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled, Cortex XDR enforces the host firewall rules based on the current location of the device within the internal organization network (Internal Rules), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (External Rules). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.Create a New Ruleor add a rules group to theInternal/External Groups:
- Click+Add Group.
- Select one or more groups, and clickAdd.To quickly apply the exact same rules in both cases, selectAdd as external/internalrules groups as well.
- Review the rule group field details.The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.FieldDescriptionApplicable Rules CountDisplays the number of rules in the specific group that are associated with the platform profile.Created byDisplays the email address of the user that created the rule.Creation TimeDate and time of when the rule was created.DescriptionDescription of the rule, if available.Group IDUnique rules group ID.Group NameName of the group rules group.ModeDisplays whether the rules group is enabled or not.Modified byDisplays the email address of the last user that made changes to the group.Modification TimeDate and time of when the group was modified.
- (Optional) SelectView Rulesto view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.
- AlloworBlocktheDefault Action for Inbound/Outbound Trafficin the profile if you want to allow all network connections that have not been matched to any other rule in the profile.
- Save the profile.When you are done, clickCreate. You can now configure a host firewall policy.
After you create the host firewall extensions profile, you can perform additional actions. The changes take effect on the next heartbeat. From
, you can:
- Edit profile—Right-click the profile andEdit. Change the profile settings andSave. The change takes effect in all policies enforcing this profile.
- Delete profile—Right-click the profile andDelete. The profile is deleted from all policies it was associated with, while the rules groups are not deleted and are still available in Cortex XDR.
Create a Host Firewall Policy
After you define the required host firewall profiles, configure host firewall policies that will be enforced on your target endpoints. You can associate the profile with an existing policy, or create a new one.
- Create a policy.From, clickEndpointsPolicy ManagementExtensionsPolicy Rules+New Policy
- Fill-in general information.Enter the policy name, description, and platform. ClickNext.
- Select profile.Select the desired profile for host firewall from the drop-down list, and any other profiles you want to include in this policy. ClickNext.
- Select endpoints.Select the target endpoints on which to enforce the policy. Use filters or manual endpoint selection to define the exact target endpoints of the policy. ClickDone.
- Configure policy hierarchy.Drag and drop the policies in the desired order of execution, from top to bottom.
- Save the policy.After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies in your environment.
Monitor Host Firewall Activity in Your Network
Host Firewall Eventstable provides an aggregated view of the host firewall enforcement events in your network. An enforcement event represents the number of rule hits per endpoint in 60 minutes.
- The data is aggregated and reported periodically every 60 minutes since the first time the host firewall policy was enforced on the endpoint, not every round hour.
- The table lists enforcement events only for rules set toReport Matching Traffic.
Every enforcement event includes additional data such as the time of the first rule hit, the rule action, protocol, and more.
Collect Detailed Log Files
To gain deeper visibility into all the host firewall activity that occurred on an endpoint, you can retrieve a log file listing all single actions the agent performed for all rules (whether set to
Report Matched Trafficor not). The logs are stored in a cyclic 50MB file on the endpoint, which is constantly being re-written and overriding older logs. When you upload the file, the logs are loaded to the
Host Firewall Eventstable. You can filter the table using the
Event Sourcefield to view only the aggregated periodic logs, or only non-aggregated on-demand logs.
To collect the log file, right-click the event containing the endpoint you are interested in and select
Collect Detailed Host Firewall Logs. Alternatively, you can perform this action for multiple endpoints from
Recommended For You
Recommended videos not found.