Click ‘Configuration Templates’ > ‘Profiles’ > click the name of a Windows profile > 'Add Profile Section' > 'Firewall'
CCS firewall analyzes every packet of data in and out of an endpoint using combination of Application and Global Rules.
Application Rules - Determine the network access privileges of individual applications or specific types of applications at the endpoint.
Global Rules - Rules that apply to all traffic flowing in and out of the endpoint
For Outgoing connection attempts, the application rules are consulted first and then the global rules second.
For Incoming connection attempts, the global rules are consulted first and then the application rules second.
Therefore, outgoing traffic has to 'pass' both the application rule then any global rules before it is allowed out of your system. Similarly, incoming traffic has to 'pass' any global rules first then application specific rules that may apply to the packet.
Global Rules are mainly, but not exclusively, used to filter incoming traffic for protocols other than TCP or UDP.
This article explains how to add global rules to the firewall section of a profile.
See 'How to configure internet access rights for applications via Endpoint Manager' for help to create application rules.
See 'Firewall Rules Explained' at the end of How to create a custom firewall rule set in a Windows profile to read more about construction of a rule.
Configure global firewall rules
Login to ITarian
Click 'Applications' > 'Endpoint Manager'
Click ‘Configuration Templates’ > ‘Profiles’
Open the Windows profile applied to your target devices
Open the 'Firewall' tab if it has already been added to the profile
Click 'Add Profile Section' > 'Firewall' if it hasn't yet been added
Open the 'Global Rules' tab
EM ships with a set pf predefined global rules.
Click 'Add' to create a new rule
You configure firewall rules by defining the target traffic, and the action you want to take on that traffic.
Traffic conditions includes protocol, direction, source and destination address, and source/destination port.
If you are unsure about the settings in this area, we advise you first gain some background knowledge by reading 'Firewall Rules Explained' in the page How to create a custom firewall rule set in a Windows profile
Note: Your choice here alters the choices available to you in the tab structure on the lower half of the interface.
Log as a firewall event if this rule is fired: Creates a firewall event log on the device whenever this rule is called into operation (i.e. when ALL conditions have been met). Default = Disabled.
Description: Type a friendly name for the rule. Name the rule by its intended purpose – e.g. 'Allow Outgoing HTTP requests'. If you create a friendly name, then this is shown instead of the full actions/conditions in the 'Global Rules' interface.
i. 'TCP', 'UPD' or 'TCP or UDP'
If you select 'TCP', 'UPD' or 'TCP or UDP' as the protocol, then you also have to set the source and destinations:
IPv4 Single Address - Choose a single IPv4 address
Enter the IP address in the 'IP' text box, e.g., 192.168.200.113.
IPv4 Subnet mask - Choose an IPv4 network. IP networks can be divided into smaller networks called sub-networks (or subnets).
Enter the IP address and mask of the network.
Single IPv6 Address - Choose an IPv6 address
Enter the IP address in the 'IP' text box, e.g., 3ffe:1900:4545:3:200:f8ff:fe21:67cf.
IPv6 Subnet Mask - Choose a IPv6 network. IP networks can be divided into smaller networks called sub-networks (or subnets).
Enter the IP address and 'Mask' of the network in the respective fields
MAC Address - Choose a single source/destination by specifying its physical address
Enter the address in the 'MAC Address' text box.
Source and Destination Ports
Enter the first port number and last port number in the respective fields
A single port - Specify a one port number
Enter the single port number in the 'Port' drop-down combo-box .
Any - Apply the rule to any port number - set by default, 0- 65535.
ICMP (Internet Control Message Protocol) packets contain error and control information to announce network errors, congestion, timeouts, and to assist in troubleshooting. It is mainly used for traces and pings. Pinging is frequently used to perform a quick test before initiating communications.
If you select 'ICMP' as the protocol, then you also have to set the source and destination addresses and ICMP details. The source and destination addresses can be configured as explained above.
If you select 'IP' as the protocol, then you also have to set the source and destination addresses and IP details. The source and destination addresses can be configured as explained above.
IP Protocol - Select the type of IP protocol
Click OK in the 'Firewall Rule' dialog to add the rule to the ruleset
Repeat the process to add more firewall rules.
The rules are added to the list.
Click 'Save' in the 'Firewall' pane for your rules to take effect on the endpoints to which the profile is applied.