Host firewall for Windows - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Control communications on your endpoints based on the network location of your device by using the host firewall.

Enforce the Cortex XSIAM host firewall policy in your organization to control communications on your endpoints and gain visibility into your network connections. The host firewall policy consists of unique rules groups that are enforced hierarchically and can be reused across all host firewall profiles. The Cortex XSIAM host firewall rules are integrated with the Windows Security Center and leverage the operating system firewall APIs and enforce these rules on your endpoints, but not your operating system firewall settings. Once you deploy the host firewall, use the Host Firewall Events table to track the enforcement events in your organization.

To configure the Cortex XSIAM host firewall in your network, follow this high-level workflow:

  • Ensure you meet the host firewall requirements and prerequisites.

  • Create rules within rule groups: Create host firewall rules groups that you can reuse across all host firewall profiles. Add rules to each group and prioritize the rules from top to bottom to create an enforcement hierarchy.

  • Configure a profile: Select one or more rule groups into a host firewall enforcement profile that you later associate with an enforcement policy. The profile can enforce different rules when the endpoint is located within the organization’s internal network, and when it is outside. Prioritize the groups within the profile from top to bottom to create an enforcement hierarchy.

  • Configure a policy: Add your host firewall profile to a new or existing policy that will be enforced on selected target endpoints.

  • Monitor and troubleshoot: View aggregated host firewall enforcement events, or all single host firewall activities the agent performed in your network. Cortex XDR Pro customers can also query the host firewall events using the new host_firewall_events dataset in XQL Search for data and network analysis.

Set up the host firewall

Set up your rule groups and host firewall profile.

Group rules into Rules Groups that you can reuse across all host firewall profiles. A host firewall group includes one or more host firewall unique rules. The rules are enforced according to their order of appearance within the group, from top to bottom. After you create a rules group, you can assign the group to a host firewall profile. When you edit, re-prioritize, disable, or delete a rule from a group, the change takes effect in all policies where this group is included. To support this scalability and structure, every rule in Cortex XSIAM is assigned a unique ID and must be contained within a group. Additionally, you can import existing firewall rules into Cortex XSIAM, or export them in JSON format.

  1. Create a group.

    From EndpointsHost FirewallHost Firewall Rules Groups, click +New Group on the upper bar.

  2. Fill in general information.

    Enter the rule name and optional description. To enforce the rules within the group in all policies they are associated with, Enable the group. When Disabled, the group exists but is not enforced.

  3. Create rules within the rules group.

    Create rules within rules groups to allow or block traffic on the endpoint. Use a variety of parameters to fine tune your policy such as specific protocols, applications, services, and more. For every group, you need to create its own list of rules. Each rule is assigned a unique ID and can be associated with a single group only.

    Note

    • A rule is always part of a rules group. It cannot stand on its own.

    • A rule can belong to one rules group only and cannot be reused in different groups.

    1. Configure rule settings.

      A host firewall rule allows or blocks the communication to and/or from an endpoint. Enter the rule Name, optional Description, and select the Platforms you want to associate the rule with.

      Fine-tune the rule by applying the action to the following parameters:

      • Protocol: Select any of the 256 internet protocols:

        • Any

        • Custom

        • TCP

        • UDP

        • ICMPv4

        • ICMPv6

        Once you select one of the available protocols or enter the protocol number, you will be able to specify additional parameters per protocol as needed. For example, for TCP(6) you can set local and remote ports, whereas for ICMPv4(1) you can add the ICMP type and code.

        Note

        When selecting ICMP protocol, you must enter a the ICMP Type and Code. Without these values the ICMP protocol is ignored by the Windows and macOS Cortex XDR agents.

      • Direction: Select the direction of the communication this rule applies to: Inbound communication to the endpoint, Outbound communication from the endpoint, or Both.

      • Action: Select whether the rule action is to Allow or Block the communication on the endpoint.

      • Local/Remote IP Address: Configure the rule for specific local or remote IP addresses s and/or Ports. You can set a single IP address, multiple IP addresses separated by a comma, range of IP addresses separated by a hyphen, or a combination of these options.

      • Depending on the type of platform you selected, define the Application, Service, and Bundle IDs of the Windows Settings and/or macOS Settings—Configure the rule for all applications/services or specific ones only by entering the full path and name. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change.

      • Report Matched Traffic: When Enabled, enforcement events captured by this rule are reported periodically to Cortex XSIAM and displayed in the Host Firewall Events table, whether the rule is set to Allow or Block the traffic. When Disabled, the rule is applied but enforcement events are not reported periodically.

    2. Save rule.

      After you fill in all the details, you need to save the rule. If you know you need to create a similar rule, click Create another to save this rule and leave the specified parameters available for edit for the next rule. Otherwise, to save the rule and exit, click Create.

  4. Prioritize rules.

    The rules within the group are enforced by priority from top to bottom. By default, every new rule is added to the top of the already existing rules in the group, meaning it is assigned the highest priority and will be enforced first. To change the rules priority and order of enforcement within the group, click the rule priority number and drag the rule up or down the table to the proper row. Repeat this process to prioritize all the rules.

  5. Save.

    When you are done, click Create. The new rules group is created and can be associated with a host firewall profile.

After you create a group, you can perform additional actions. From EndpointsHost FirewallHost Firewall Rules Groups, click a group:

  • View group data: From the Host Firewall Rules Groups table you can view details about all the existing rules groups in your organization. The table lists high level information about the group such as name, mode, and number of rules included. To view all rules within a group and all the profiles the group is associated with, click the expand icon.

  • Edit group: Right-click the group and Edit its settings.

  • Delete/Disable: To stop enforcing the rules within this group, right-click the group and Delete/Disable it. On the next heartbeat, its rule will be removed/disabled from all profiles this group is associated with.

  • Import/Export group rules: Using a JSON file, you can import rules into the Cortex XSIAM host firewall or export them. Right-click the rule and Import/Export.

After you create a host firewall rule and assign it to a rules group, you can manage the rule settings and enforcement as follows.

  • View/Edit: Right-click the rule to view it or edit its parameters.

  • Change priority: Change the rule priority within the group by dragging its row up and down the rules list.

  • Delete/Disable: To stop enforcing the rule, you can right-click the rule and Delete/Disable it. On the next heartbeat, the rule will be removed/disabled in all profiles where this rules group is included.

Configure host firewall profiles that contain one or more rules groups. The groups are enforced according to their order of appearance within the profile, from top to bottom (and within each group, the rules are also enforced from top to bottom). You can also configure profiles based on the device location within your internal network. When you edit, re-prioritize, disable, or delete a rules group from a profile, the change takes effect on the next heartbeat in all policies where this profile is included.

  1. Create a profile.

    From EndpointsPolicy ManagementExtensions and select + Add Profile or Import from File.

  2. Select the platform and click Host FirewallNext.

  3. Fill in General Information.

    Enter the profile name and optional description.

  4. Configure Report Settings.

    When the profile operates in report mode, Cortex XSIAM overrides all rules set to Block traffic. Instead, the traffic is allowed to go through, and the enforcement event is reported as Override Block. You can configure a profile in report mode if you need for example to test new block rules before you actually apply them.

  5. Configure Internal and External Rule Groups.

    To apply location-based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled, Cortex XSIAM enforces the host firewall rules based on the current location of the device within the internal organization network (Internal Rules), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (External Rules). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location.

    Create a new rule or add a rules group to the Internal/External Groups:

    1. Click +Add Group.

    2. Select one or more groups, and click Add.

      To quickly apply the exact same rules in both cases, select Add as external/internal rules groups as well.

    3. Review the rule group field details.

      The groups are listed according to the order of enforcement from top to bottom. To change this order, click on the group priority number and drag the group to the desired row.

      Field

      Description

      Applicable Rules Count

      Displays the number of rules in the specific group that are associated with the platform profile

      Created by

      Displays the email address of the user that created the rule

      Creation Time

      Date and time of when the rule was created

      Description

      Description of the rule, if available

      Group ID

      Unique rules group ID

      Group Name

      Name of the group rules group

      Mode

      Displays whether the rules group is enabled

      Modified by

      Displays the email address of the last user that made changes to the group

      Modification Time

      Date and time of when the group was modified

    4. (Optional) Select View Rules to view a list of all the rule details within the rules group. The table is filtered according to the rules associated with the platform profile you are creating.

    5. Allow or Block the Default Action for Inbound/Outbound Traffic in the profile if you want to allow all network connections that have not been matched to any other rule in the profile.

  6. Save the profile.

    When you are done, click Create. You can now configure a host firewall policy.

After you create the host firewall extensions profile, you can perform additional actions. The changes take effect on the next heartbeat. From EndpointsPolicy Management ExtensionsPolicy Rules, right-click to:

  • Edit: Change the profile settings and Save. The change takes effect in all policies enforcing this profile.

  • Delete: The profile is deleted from all policies it was associated with, while the rules groups are not deleted and are still available in Cortex XSIAM.

  • Save As New: Duplicate the profile, edit, and save as new.

  • Export Profile: Select one or more policies, right-click and select Export Policies. You can choose to include the associated Policy Targets, Global Exceptions, and endpoint groups.

After you define the required host firewall profiles, configure host firewall policies that will be enforced on your target endpoints. You can associate the profile with an existing policy, or create a new one.

  1. Create a policy.

    From EndpointsPolicy ManagementExtensionsPolicy Rules, click +New Policy or Import from File.

    Note

    When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows.

    • New rules are added to the top of the list.

    • Default rules override the default rule in the target tenant.

    • Rules without a defined target are disabled until target is specified.

  2. Fill in general information.

    Enter the policy name, description, and platform. Click Next.

  3. Select profile.

    Select the desired profile for host firewall from the drop-down list, and any other profiles you want to include in this policy. Click Next.

  4. Select endpoints.

    Select the target endpoints on which to enforce the policy. Use filters or manual endpoint selection to define the exact target endpoints of the policy. Click Done.

  5. Configure policy hierarchy.

    Drag and drop the policies in the desired order of execution, from top to bottom.

  6. Save the policy.

    After the policy is saved and applied to the agents, Cortex XSIAM enforces the host firewall policies in your environment.

The Host Firewall Events table provides an aggregated view of the host firewall enforcement events in your network. An enforcement event represents the number of rule hits per endpoint in 60 minutes.

Note

  • The data is aggregated and reported periodically every 60 minutes since the first time the host firewall policy was enforced on the endpoint, not every round hour.

  • The table lists enforcement events only for rules set to Report Matching Traffic.

Every enforcement event includes additional data such as the time of the first rule hit, the rule action, protocol, and more.

To gain deeper visibility into all the host firewall activity that occurred on an endpoint, you can retrieve a log file listing all single actions the agent performed for all rules (whether set to Report Matched Traffic or not). The logs are stored in a cyclic 50MB file on the endpoint, which is constantly being re-written and overridden older logs. When you upload the file, the logs are loaded to the Host Firewall Events table. You can filter the table using the Event Source field to view only the aggregated periodic logs, or only non-aggregated on-demand logs.

To collect the log file, right-click the event containing the endpoint you are interested in and select Collect Detailed Host Firewall Logs. Alternatively, you can perform this action for multiple endpoints from Endpoints Administration.