Control communications on your endpoints based on the network location of your device by using the host firewall.
Enforce the Cortex XSIAM host firewall policy in your organization to control communications on your endpoints and gain visibility into your network connections. The host firewall policy consists of unique rules groups that are enforced hierarchically and can be reused across all host firewall profiles. The Cortex XSIAM host firewall rules are integrated with the Windows Security Center and leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your operating system firewall settings. Once you deploy the host firewall, use the Host Firewall Events table to track the enforcement events in your organization.
To configure the Cortex XSIAM host firewall in your network, follow this high-level workflow:
Ensure you meet the host firewall requirements and prerequisites.
Create rules within rule groups: Create host firewall rules groups that you can reuse across all host firewall profiles. Add rules to each group and prioritize the rules from top to bottom to create an enforcement hierarchy.
Configure a profile: Select one or more rule groups into a host firewall enforcement profile that you later associate with an enforcement policy. The profile can enforce different rules when the endpoint is located within the organization’s internal network, and when it is outside. Prioritize the groups within the profile from top to bottom to create an enforcement hierarchy.
Configure a policy: Add your host firewall profile to a new or existing policy that will be enforced on selected target endpoints.
Monitor and troubleshoot: View aggregated host firewall enforcement events, or all single host firewall activities the agent performed in your network. Cortex XDR Pro customers can also query the host firewall events using the new
host_firewall_events
dataset in XQL Search for data and network analysis.
Set up the host firewall
Set up your rule groups and host firewall profile.