The following instructions assume that you are on the Section 9.0, Creating Security Policies) or that you are on the page for an existing Firewall policy (see Section 13.0, Editing a Policy’s Details).
page in the Create New Firewall Policy Wizard or (seeThe Firewall policy lets you determine the firewall settings applied to a device.The firewall settings control a device’s network connectivity by allowing or blocking ports, protocols, and network addresses (IP and MAC).
Watch a video that demonstrates how to create a Firewall policy. |
Specify the default behavior for ports and protocols. The default behavior is applied to all ports and protocols unless it is overridden by a port/protocol rule or an Access Control List.
Select one of the following behaviors:
Stateful: Blocks all unsolicited inbound network traffic. Allows all solicited inbound network traffic and all outbound network traffic.
Open: Allows all inbound and outbound network traffic. Because all network traffic is allowed, a device’s identity is visible on all ports.
Closed: Blocks all inbound and outbound network traffic. Because all network identification requests are blocked, a device’s identity is concealed on all ports.
If you select this option, you should enable the ZENworks Server ACL and ARP ACL (see Section A.4.4, Standard Access Control Lists) to ensure that the device can communicate with ZENworks Servers to receive content (policies, bundles, and so forth) and upload report data.
Inherit: Inherits this setting value from other Firewall policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Firewall policies assigned to the user’s groups, folders, or zone.
Select
to turn off the Windows Firewall and register the Endpoint Security Agent as the firewall provider in the Windows Security Center. This ensures that the Firewall policy’s settings and the Windows Firewall settings do not conflict and generate unexpected results.Select
to inherit this setting value from other Firewall policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Firewall policies assigned to the user’s groups, folders, or zone.Please be aware of the following when using this option:
On Windows devices that are members of a domain, the GPO setting
must be enabled. If the setting is not enabled and you apply a Firewall policy that disables the Windows Firewall, the Endpoint Security Agent is unable to turn off the Windows Firewall; the result is that both the Windows and Endpoint Security firewalls are active.This setting disables only the Windows Firewall. If the device has other (third-party) firewalls active, those firewalls are not disabled and could conflict with the Endpoint Security firewall. We recommend that you disable any other firewalls.
The port/protocol rules let you override the default behavior assigned to ports and protocols. A rule identifies one or more ports or protocols and the behavior to be applied to the ports and protocols.
For example, assume that you want to block streaming media. You would create a Streaming Media rule and close ports 554, 1755, 7070, and 8000 (the common Microsoft and RealMedia streaming media ports) to TCP communication.
The following table provides instructions for managing the policy’s port/protocol rules:
Task |
Steps |
Additional Details |
---|---|---|
Create a new rule |
|
|
Copy an existing rule from another policy |
|
All rules included in the other Firewall policies are copied. If necessary, you can edit the copied rules after they are added to the list. |
Import a rule from a policy export file |
|
All rules included in the export file are imported. If necessary, you can edit the imported rules after they are added to the list. For information about exporting rules, see Export a rule. |
Enable or disable a rule |
|
When you add a rule it is enabled by default. You can disable a rule to save it in the policy but no longer apply it. |
Edit a rule |
|
|
Rename a rule |
|
|
Export a rule |
|
|
Delete a rule |
|
|
The standard Access Control Lists (ACLs) represent predefined protocol packet types. For each ACL, select one of the following settings. The ACL setting overrides the default behavior and any port/protocol rules.
Allow: Allows the ACL’s protocol packets.
Inherit: Inherits this setting from other Firewall policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Firewall policies assigned to the user’s groups, folders, or zone.
The following list provides a brief descriptions of each ACL:
802.1x: Allows 802.1x packets. To overcome deficiencies in Wired Equivalent Privacy (WEP) keys, Microsoft and other companies are utilizing 802.1x as an alternative authentication method. 802.1x is a port-based network access control that uses the Extensible Authentication Protocol (EAP) or certificates. Currently, most major wireless card vendors and many access point vendors support 802.1x. This setting also allows Light Extensible Authentication Protocol (LEAP) and WiFi Protected Access (WPA) authentication packets.
ARP: Allows Address Resolution Protocol (ARP) packets. Address resolution refers to the process of finding an address of a computer in a network. The address is resolved by using a protocol in which a piece of information is sent by a client process executing on the local computer to a server process executing on a remote computer. The information received by the server allows the server to uniquely identify the network system for which the address was required and therefore to provide the required address. The address resolution procedure is completed when the client receives a response from the server containing the required address.
Ethernet Multicast: Allows Ethernet Multicast packets. Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news. Multicast packets can be distributed by using either IP or Ethernet addresses.
ICMP: Allows Internet Control Message Protocol (ICMP) packets. ICMP packets are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. ICMP messages are sent in several situations; for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route.
IP Multicast: Allows IP Multicast packets. Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news. Multicast packets can be distributed by using either IP or Ethernet addresses.
IP Subnet Broadcast: Allows Subnet Broadcast packets. Subnet broadcasts are used to send packets to all hosts of a subnetted, supernetted, or otherwise nonclassful network. All hosts of a nonclassful network listen for and process packets addressed to the subnet broadcast address.
Logical Link Layer Control: Allows LLC-encoded packets.
SNAP: Allows SNAP-encoded packets. Subnetwork Access Protocol (SNAP) is an extension of the Logic Link Control (LLC IEEE 802.2) header and is used for encapsulating IP datagrams and ARP requests and replies on IEEE 802 networks.
ZENworks Server: Allows packets sent to and received from the ZENworks Server.
You can create custom Access Control Lists (ACLs) to define specific IP or MAC addresses from which unsolicited traffic should always be blocked or should always be allowed. An ACL setting overrides port rules and the default port behavior.
The following table provides instructions for managing the ACLs:
Task |
Steps |
Additional Details |
---|---|---|
Create a new ACL |
|
Use one of the following formats:
IMPORTANT:To enforce the ACL, an IP address range is expanded to individual IP addresses. A large range can consume significant resources on the device and impact performance. To minimize this impact, define ranges that include only the IP addresses you want to control. Use the following format when specifying a MAC address: xx:xx:xx:xx:xx:xx. For example, 01:23:45:67:89:ab. |
Copy an existing ACL from another policy |
|
All ACLs included in the other Firewall policies are copied. If necessary, you can edit the copied ACLs after they are added to the list. |
Import an ACL from a policy export file |
|
All ACLs included in the export file are imported. If necessary, you can edit the imported ACLs after they are added to the list. For information about exporting ACLs, see Export an ACL. |
Enable or disable an ACL |
|
When you add an ACL it is enabled by default. You can disable an ACL to save it in the policy but no longer apply it. |
Edit an ACL |
|
|
Rename an ACL |
|
|
Export an ACL |
|
|
Delete an ACL |
|
|