Host Firewall for macOS - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Control communications on your endpoints based on the network location of your device by using the host firewall.

The Cortex XSIAM host firewall enables you to control communications on your endpoints. To use the host firewall, you set rules that allow or block the traffic on the devices and apply them to your endpoints using Cortex XSIAM host firewall policy rules. Additionally, you can configure different sets of rules based on the current location of your endpoints - within or outside your organization network. The Cortex XSIAM host firewall rules leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your Windows or Mac firewall settings.

To configure the Cortex XSIAM host firewall in your network, follow this high-level workflow. Ensure you meet the host firewall requirements.

Enable Network Location Configuration

If you want to apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. On every heartbeat, and if the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test and re-calculates the policy according to the new location.

Add a New Host Firewall Profile

Configure host firewall profiles that contain one or more rules groups. The groups are enforced according to their order of appearance within the profile, from top to bottom (and within each group, the rules are also enforced from top to bottom). You can also configure profiles based on the device location within your internal network. When you edit, re-prioritize, disable, or delete a rules group from a profile, the change takes effect on the next heartbeat in all policies where this profile is included.

Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed only in the Legacy Host Firewall Rules and do not appear in the Rule Groups tables.

  1. From EndpointsPolicy ManagementExtensions ProfilesProfiles, select + New Profile or Import from File. Select the Platform and click Host FirewallNext.

  2. Fill-in the General Information for the new profile.

    Assign a Profile Name and optional description to the profile.

  3. Define your Report Settings.

    When the profile operates in report mode, Cortex XSIAM overrides all rules set to Block traffic. Instead, the traffic is allowed to go through, and the enforcement event is reported as Override Block. You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.

  4. Configure Internal and External Rule Groups.

    To apply location based host firewall rules, you must first enable network location configuration in your . When enabled, Cortex XSIAM enforces the host firewall rules based on the current location of the device within the internal organization network (Internal Rules), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (External Rules). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.

    Create a New Rule or add a rules group to the Internal/External Groups.

    1. Click +Add Group.

    2. Select one or more groups, and click Add.

      To quickly apply the exact same rules in both cases, select Add as external/internal rules groups as well.

    3. Review the rule group field details.

      The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.

      Field

      Description

      Applicable Rules Count

      Displays the number of rules in the specific group that are associated with the platform profile.

      Created by

      Displays the email address of the user that created the rule.

      Creation Time

      Date and time of when the rule was created.

      Description

      Description of the rule, if available.

      Group ID

      Unique rules group ID.

      Group Name

      Name of the group rules group.

      Mode

      Displays whether the rules group is enabled or not.

      Modified by

      Displays the email address of the last user that made changes to the group.

      Modification Time

      Date and time of when the group was modified.

    4. (Optional) Select View Rules to view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.

      Any type protocol and specific ports cannot be edited. If saved as a new rule, the specific ports previously defined are removed from the cloned rule.

    5. Allow or Block the Default Action for Inbound/Outbound Traffic in the profile if you want to allow all network connections that have not been matched to any other rule in the profile.

  5. (Optional) Manage Legacy Host Firewall Rules.

    Manage Host Firewall Rules created on macOS 10 and Cortex XDR agent 7.5 and prior.

    1. Enable Manage Host Firewall to allow Cortex XSIAM to manage the host firewall on your Mac endpoints.

    2. Configure the host firewall Internal and External settings.

      The host firewall settings allow or block inbound communication on your Mac endpoints. Enable or Disable the following actions:

      • Stealth Mode—Hide your mac endpoint from all TCP and UDP networks by enabling the Apple Stealth mode on your endpoint.

      • Block All Incoming Connections—Select where to block all incoming communications on the endpoint or not.

      • Application Exclusions—Allow or block specific programs running on the endpoint using a Bundle ID.

      If the profile is location based, you can define both internal and external settings.

  6. Save your profile.

    When you’re done, Create your host firewall profile.

  7. Apply Host Firewall Profiles to Your Endpoints.

Apply Host Firewall Profiles to Your Endpoints

After you define the required host firewall profiles, configure the Protection Policies and enforce them on your endpoints. Cortex XSIAM applies Protection policies on endpoints from top to bottom, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all communication to and from the endpoint is applied.

  1. From EndpointsPolicy ManagementExtensions Policy Rules, select +New Policy or Import from File.

    Note

    When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows:

    • New rules are added to the top of the list.

    • Default rules override the default rule in the target tenant.

    • Rules without a defined target are disabled until the target is specified.

  2. Configure settings for the host firewall policy.

    1. Assign policy name, an optional description, and operating system.

    2. Assign the host firewall profile you want to use in this rule.

    3. Click Next.

    4. Select the target endpoints on which to enforce the policy.

      Use filters or manual endpoint selection to define the exact target endpoints of the policy rules.

    5. Click Done.

    Alternatively, you can associate the host firewall profile with an existing policy. Right-click the policy and select Edit. Select the Host Firewall profile and click Next. If needed, you can edit other settings in the rule, such as target endpoints and description. When you’re done, click Done.

  3. Configure policy hierarchy.

    Drag and drop the policies in the desired order of execution.

  4. Save the policy hierarchy.

    After the policy is saved and applied to the agents, Cortex XSIAM enforces the host firewall policies on your environment.

Monitor the Host Firewall Activity on your Endpoint

To view only the communication events on the endpoint to which the Cortex XSIAM host firewall rules were applied, you can run the Cytool firewall show command.

Additionally, to monitor the communication on your macOS endpoint, you can use the following operating system utilities: From the endpoint System PreferencesSecurity and PrivacyFirewallFirewall options, you can view the list of blocked and allowed applications in the firewall. The Cortex XSIAM host firewall blocks only incoming communications on Mac endpoints, still allowing outbound communication initiated from the endpoint.