Environment

• Carbon Black Cloud: All Versions
• Host-Based Firewall

Objective

Resolution

General best practices for managing Host-Based Firewall:

• Always leverage the Test Rule functionality before enabling new rules.
• Use an "Allow all traffic" default rule to avoid blocking critical services while building out rulesets.
• Apply new rules to a smaller set of endpoints in a test Policy before deploying widely.
• If using local Windows firewall rules, use the import script to migrate existing rules from a Windows machine to Carbon Black Cloud.
• Firewall rules work in conjunction with Endpoint Standard Prevention rules as follows:
  1. Endpoint Standard Bypass permissions supersede all firewall rules.
  2. Firewall blocking rules supersede Allow and Allow & Log Permissions.
  3. Endpoint Standard Blocking & Isolation rules supersede firewall allow rules.

How-to workflow and best practices for implementing Host-Based Firewall rules:

1. From the Console, navigate to Enforce > Policies > [Policy name] > Host-Based Firewall tab.
2. Select a Default Rule, the baseline behavior for machines in this Policy.
   • Allow all traffic: Allows all network traffic except for behaviors blocked by specific rules created in the policy.
   • Block all traffic: Blocks all network traffic except for behaviors allowed by specific rules created in the policy.
   • Tip: Selecting Block all traffic as the default rule can be highly disruptive to assets that are managed by Carbon Black Cloud and special care should be taken to ensure that expected behavior is not negatively impacted.
3. Under Actions > Add rule group, create a rule group and populate it with firewall rules.
   • Tip: Leave Status unchecked for low-confidence or untested rules.
   • Note: For supported rule values and syntax, refer to Host-based Firewall Rule Parameters.
4. View, create, and modify additional rule groups and rules, as needed.
   • Tip: Simplify rule management by assigning individual rules with a shared purpose into a single rule group. Example: Multiple rules to control access to FTP servers should be managed under one rule group.
5. On the Sensor tab, check the Enable host-based firewall setting.
6. To test rules, click the expandable arrow next to a rule group's Status toggle to display that group's rules, select Test rule under the Actions column, then Save changes.
   • Note: Rules can only be tested when their Status is set to Disabled.
7. Review rule outcome by clicking the Investigate button, which will run a query against recent traffic fitting your rule.
   • Tip: It is recommended to simulate real-world actions that trigger the rule. For example, if creating a rule to block access to FTP, try to access FTP, view those results on the Investigate page, then identify any problems with implementation and adjust the rule accordingly.
   • Note: Any network traffic returned in the query results would be subject to the tested rule and allowed or blocked accordingly, assuming no other superseding rules.
8. Modify rules as necessary and retest until the rules perform as expected.
9. Stop testing high-confidence rules that are verified to perform as expected and set their Status to Enabled.
10. View firewall-related Observations on the Alerts an Investigate pages, respectively.
11. Continue to modify rules as necessary.

Additional Notes

• Additional information on the general operation of this feature can be found in the Host-Based Firewall FAQ. 
• A short, six-minute demo of how to create, manage, and test Host-Based Firewall rules can be found here on Carbon Black Tech Zone.
• For a more detailed, setting-by-setting breakdown, refer to Host-based Firewall Policy Settings in the User Guide.
• There is a 30-day limit to disabled firewall rules placed in Test rule mode, after which Test mode will be deactivated and the rule will remain disabled.

Related Content