X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Manage a Host Firewall with CrowdStrike

Introduction

This document and video will demonstrate how CrowdStrike can manage the native OS host firewall. Through the existing agent and cloud based platform, this option provides companies centralized management of enterprise firewall features on the endpoint.

Video

 

How are firewall rules defined?

In the Crowdstrike UI under “Configuration”, there is an option for “Firewall Rule Groups”. From that screen, you have the option to edit existing groups or “Create rule group”.

firewall new rule group

 

For each newly created group, there is an option to clone an existing group or start a new group. As new firewall rules are added, the name and description are entered along with configuration details such as network direction, protocol and applicable addresses.

firewall new rule

 

For each rule, there is an option to specify a network profile. This location awareness feature helps ensure that rules are applied in the right circumstances like when a user is on an internal network where the domain is reachable versus a public or private network.

firewall network profile

 

CrowdStrike also looks beyond simple network traffic and provides the ability to enforce rules based on the source process. This additional visibility gives administrators more granular control over how and when rules apply.

firewall process

 

How are firewall rules incorporated into policies?

Once the rule groups are created and enabled, they can be added to a firewall policy. Creating a new policy is much like creating a new rule group. Upon creating a new policy, there is an option to clone an existing policy or start with a blank slate.

firewall new policy

 

Once the policy created has been created, you can choose to assign rule groups to that policy.

firewall rule groups

 

In both policies and rule groups, you have the option to edit the order of precedence.

firewall precedence

How are firewall policies deployed to endpoints?

Before assigning host groups, it is important to confirm the policy is enabled with proper enforcement. Policies can be put in enforcement or monitor mode. Enforcement is required for Falcon to be seen as the firewall provider on the endpoint. It is also important that the policy is enabled.

firewall policy settings

 

Host groups can be added to the policy under the “Assigned Host Groups” tab.

firewall add host groups

 

Once an enabled policy has been deployed to the endpoint, users would expect a status message like this for the Windows firewall (host firewall management is currently available for Windows only).

firewall enforce on windows

How can firewall rules be tested?

For each firewall rule, there is an option to enable “Watch Mode”. This gives you visibility to rule matches through Falcon UI. This option is recommended for critical rules and troubleshooting only as it has the potential to generate an excessive number of events.

firewall watch mode

With “Watch Mode” enabled, any event that triggers the rule will be listed in the “Activity” app under “Firewall Events”.

firewall events

Closing

CrowdStrike enables companies to manage native OS firewall capabilities through the power of the cloud native Falcon UI. This solution delivers central management of enterprise features including process based rule enforcement and location awareness through a single agent with no additional performance impact.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial