1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ Pro Administrator’s Guide
    5. Endpoint Security
    6. Hardened Endpoint Security
    7. Host Firewall

    Host Firewall

    Control communications on your endpoints based on the network location of your device by using the Cortex® XDR™ host firewall.
    The Cortex XDR host firewall enables you to control communications on your endpoints. To use the host firewall, you set rules that allow or block the traffic on the devices and apply them to your endpoints using Cortex XDR host firewall policy rules. Additionally, you can configure different sets of rules based on the current location of your endpoints - within or outside your organization network. The Cortex XDR host firewall rules leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your Windows or Mac firewall settings.
    The following are prerequisites to apply Cortex XDR host firewall policy rules on your endpoints:
    Platform
    Requirements and Limitations
    Windows
    • Cortex XDR agent 7.1 or a later release.
    • Cortex XDR host firewall rules can apply to both incoming and outgoing communication on the endpoint.
    Mac
    • Cortex XDR agent 7.2 or a later release.
    • Cortex XDR Host Firewall is not supported on endpoints running macOS 11.0 and later releases.
    • Cortex XDR host firewall rules can apply only to incoming communication on the endpoint.
    • After you disable or remove the Cortex XDR host-firewall policy on the endpoint, the system firewall on the endpoint is disabled.
    • You cannot configure the following Mac host firewall settings with the Cortex XDR host firewall:
      • Automatically allow built-in software to receive incoming connections.
      • Automatically allow downloaded signed software to receive incoming connections.
    Linux
    Not supported.
    To configure the Cortex XDR host firewall in your network, follow this high-level workflow:

    Enable Network Location Configuration

    If you want to apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile.
    When enabled, Cortex XDR performs the following to determine the endpoint location:
    1. A domain controller (DC) connectivity test to check whether the device is connected to the internal network or not. If the device has access to
      LDAP://rootDSE
       then it is in the organization. Otherwise, if the DC test failed or returned an external domain, Cortex XDR proceeds to a DNS connectivity test.
    2. In the DNS test, the Cortex XDR agent submits a DNS name that is known only to the internal network. If the DNS returned the pre-configured internal IP, then the device is within the organization. Otherwise, if the DNS IP cannot be resolved, then the device is located outside.
    In every heartbeat, and if the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.

    Add a New Host Firewall Profile

    1. Log in to Cortex XDR.
      Go to
      Endpoints
      Policy Management
      Extensions Profiles
       and select
      + New Profile
      . Select the
      Platform
       and click
      Host Firewall
      Next
    2. Fill-in the general information for the new profile.
      • Assign a name and an optional description to the profile.
      • By default, host firewall profile rules are based on the current location of your device. Configure two sets of rules: a set of
        External Rules
         that apply when the device is located outside the internal organization network, and a set of
        Internal Rules
         that apply when the device is located within the internal organization network. If you disable the
        Location Based
         option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.
    3. Create host firewall rules.
      For Windows:
      Click
      +New Rule
      . A host firewall rule allows or blocks the communication to and/or from a Windows endpoint. You can fine tune the rule by applying the action to the following parameters:
      • Action
        —Select whether to
        Allow
         or
        Block
         the communication on the endpoint.
      • Specific IPs and Ports
        —(
        Optional
        ) Configure the rule for specific local or remote IPs and/or Ports. You can also set a range of IP addresses.
      • Direction
        —Select the direction of the communication this rule applies to:
        • Inbound
          —Communication to the endpoint.
        • Outbound
          —Communication from the endpoint.
        • Both
          —The rule applies to both inbound and outbound communication.
      • Protocol
        —(
        Optional
        ) Select a specific protocol you want this rule to apply to.
      • Path
        —(
        Optional
        ) Enter the full path and name of a program you want the rule to apply to. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change.
      If the profile is location based, you can define both internal and external rules. You can also copy a rule from one set to another.
      For Mac:
      1. Enable Host Firewall Management.
        Enable this option to allow Cortex XDR to manage the host firewall on your Mac endpoints.
      2. Configure the host firewall internal and external settings.
        The host firewall settings allow or block inbound communication on your Mac endpoints. You can fine tune the rule by applying the action to the following parameters:
        • Enable stealth mode
          —Hide your mac endpoint from all TCP and UDP networks by enabling the Apple Stealth mode on your endpoint.
        • Block all incoming connections
          —Select where to block all incoming communications on the endpoint or not.
        • Application exclusions
          —Allow or block specific programs running on the endpoint using Apple BundleID.
        If the profile is location based, you can define both internal and external settings.
    4. Save your profile.
      When you’re done,
      Create
       your host firewall profile.

    Apply Host Firewall Profiles to Your Endpoints

    After you defined the required host firewall profiles, you must configure the Protection Policies and enforce them on your endpoints. Cortex XDR applies Protection policies on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all communication to and form the endpoint is applied.
    1. Log in to Cortex XDR.
      Go to
      Endpoints
      Policy Management
      Extensions Policy Rules
      +New Policy
      .
    2. Configure settings for the host firewall policy.
      1. Assign a policy name and optional description.
        The platform will automatically be assigned to Windows.
      2. Assign the host firewall profile you want to use in this rule.
      3. If desired, assign
        Device Configuration
         and/or
        Device Exceptions
         and or
        Host Firewall
         profiles. If none are assigned, the default profiles will be applied.
      4. Click
        Next
        .
      5. Select the target endpoints on which to enforce the policy.
        Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.
      6. Click
        Done
        .
      Alternatively, you can associate the host firewall profile to an existing policy. Right-click the policy and select
      Edit
      . Select the
      Host Firewall
       profile and click
      Next
      . If needed, you can edit other settings in the rule (such as target endpoints, description, etc.) When you’re done, click
      Done
    3. Configure policy hierarchy.
      Drag and drop the policies in the desired order of execution.
    4. Save
       the policy hierarchy.
      After the policy is saved and applied to the agents, Cortex XDR enforces the host firewall policies on your environment.

    Monitor the Host Firewall Activity on your Endpoint

    T to view only the communication events on the endpoint to which the Cortex XDR host firewall rules were applied, you can run the
    Cytool firewall show
     command.
    Additionally, to monitor the communication on your endpoint, you can use the following operating system utilities:
    • Windows
      —Since the Cortex XDR Host Firewall leverages the Microsoft Windows Filtering Platform (WFP), you can use a monitoring tool such as Network Shell (netsh), the Microsoft Windows command-line utility to monitor the network communication on the endpoint.
    • Mac
      —From the endpoint
      System Preferences
      Security and Privacy
      Firewall
      Firewall options
      , you can view the list of blocked and allowed applications in the firewall. The Cortex XDR host firewall blocks only incoming communications on Mac endpoints, still allowing outbound communication initiated from the endpoint.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo