Palo Alto Networks Host Security

To control communications between your endpoints, and gain visibility into your network connections, enforce the Cortex XDR policy host firewall policy within your organization. Each host firewall policy is composed of unique rules groups. These rules can be used across all host firewall profiles. Cortex XDR host firewall rules integrate with the Windows Security Center. They leverage the operating system firewall APIs to enforce these rules on your endpoints but not your operating systems firewall settings. This high-level workflow will guide you through the process of configuring the Cortex XDR host firewall in your network.

You must meet all requirements of the host firewall and prerequisites.
Create rule(s), within rule groups – Create host firewall rule groups that can be reused across all host firewall profiles. To create an enforcement hierarchy, add rules to each group. Prioritize the rules from the top to make them more readable.
Create a profile – Select one or more rule groups to create a host firewall enforcement profile. This profile can be used later to associate with an enforcement program. You can have the profile enforce different rules depending on whether the endpoint is within your organization’s network or outside. To create an enforcement hierarchy, prioritize the groups in the profile.
Add your host firewall profile as a policy that will be enforced at selected target ends.
Monitor and troubleshoot – View aggregated host firewall enforcement activities or any single host firewall activity the agent performed within your network. Customers of Cortex XDR Pro can query the host firewall event data using the new host_firewall_events database in XQLSearch. This will allow for network analysis and data.

Migration and backward supportability

Cortex XDR agents 7.1 and later are compatible with the host firewall. New capabilities were added to Cortex XDR3.0 and Cortex XDR Agent 7.5. The following instructions are used to migrate your existing host firewall policies and rules:

Any host firewall profile that exists in Cortex XDR 2.9 can be converted to a single rule group in Cortex XDR3.0. This page is located at the Host Firewall Rule Groups page.
If there are both internal and exterior rules in an existing profile, two groups will be created. An external rules group and an inner rules group will be created. The rule name is given an internal/external suffix. Example: Rule-x-internal is renamed to internal rule-x.
Cortex XDR 3.0 host firewall includes new features that are only supported with Cortex XDR Agents 7.5 or later. These include multiple IP addresses, reporting mode, and many more. Existing host firewall rules will not be affected by an older agent release. If you add one of these parameters to a rule created from Cortex XDR 3.0 or modify an existing rule created in an older Cortex XDR release, an agent may display unusual behavior. The endpoint will then be disabled.
Therefore, all migrated rules are configured not to report matching traffic automatically and enforcement events are not listed in the Host Firewall Events Table.

Install the Host Firewall

Configure your rule groups.

Create a Rules Group

You can group rules into Rules Groups, which you can reuse across all host-firewall profiles. Each host firewall group contains one or more unique rules. Rules are enforced according to their order of appearance in the group, starting at the top. Once you have created a rules group you can assign it to a host firewall profile. You can edit, reprioritize or disable a rule in a group. This change will be applied to all policies that include this group. Every rule in Cortex XDR has a unique ID. It must be part of a group to support this scalability. You can also import firewall rules into Cortex XDR or export them as JSON.

Form a group.
Click +New Group from EndpointsHost FirewallHost Firewall Rule Groups in the upper bar.
Fill in general information.
Type the rule name and optionally describe. Enable the group to enforce the rules in all policies that they are associated with. If Disabled, the group is still active but not enforced.
Make rules in the rules group.
To allow or block traffic to the endpoint, create rules within rule groups. To fine-tune your policy, you can use a variety of parameters such as applications, specific protocols, and services. You will need to make a list of rules for each group. Each rule has a unique ID that can only be associated with one group.
- A rule is always part of a group. It can’t stand alone.
- A rule may only belong to one group of rules and cannot be used in multiple groups.

Configure rule settings.

Host firewall rules allow or block communication from and to an endpoint. You can enter the rule name and optional description, as well as select the platforms you wish to associate it with.

Select one of the 256 Internet protocols as a protocol:
- Any
- Custom
- TCP
- UDP
- ICMPv4
- ICMPv6
After selecting one of the protocols available or entering the protocol number, additional parameters can be added to each protocol. TCP(6) allows you to set remote and local ports. ICMPv4(1), however, allows you to add the ICMP type as well as code.
You must specify the ICMP type and code when selecting the ICMP protocol. These values are required to have the ICMP protocol ignored by Windows and macOS Cortex XDR.
Direction–Select which direction you want to send the communication. This rule applies to Outbound communication from an endpoint, Inbound communication to an endpoint, or both.
Action–Select whether you want to allow or block communication at the endpoint.
Local/Remote IP Address – Configure the rule to allow for specific IP addresses and/or ports. You can specify a single IP address or multiple IP addresses separated with a space, a range of IP addresses separated using a hyphen, and/or a combination of both.
Depending on the type of platform you selected, define the Application, Service, and Bundle IDs of the Windows Settings and/or macOS Settings–Configure the rule for all applications/services or specific ones only by entering the full path and name. If you use system variable paths, you will need to re-enforce your policy for the endpoint each time directories or system variables change.
Report Matched Traffic – When enabled, enforcement events captured under this rule are reported to Cortex XDR periodically and displayed in the Host Firewall Events Table, regardless of whether the rule was set to Allow or Block traffic. If the rule is disabled, enforcement events are not reported but it is applied.

1. Use the Save Rule
  Once you have filled in all details, save the rule. Click Create another if you are certain you will need to create a similar one. This will save the rule and make the parameters available for editing for the next one. To save the rule and exit click on Create.
Prioritize rules.
Rules within the group are enforced according to priority, starting at the top. Every rule added to the group’s top is enforced first. Click the priority number to change the order in which the rules are enforced within the group. Drag the rule to the appropriate row by clicking the button. This process can be repeated to prioritize all rules.
Save.
Once you’re done, click on Create. Once you are done, click Create.

Manage Rules Groups

You can do additional actions after you have created a group. Click a group from EndpointsHost FirewallHost Firewall Rules Groups

View group data You can see details about each ruling group in your organization from the Host Firewall Rules Groups Table. The table provides high-level information such as the name, model, and a number of rules for each group. Click the expand icon to view all rules in a group as well as all profiles associated with it.
Edit group – Right-click on the group to edit its settings.
Delete/Disable – To stop the group from enforcing its rules, right-click on the group and select Delete/Disable. It will be removed from all profiles associated with this group in the next heartbeat.
Import/Export group rule – You can either import or export rules using a JSON file. Right-click on the rule to Import/Export.

Set up rules

Once you have created a host firewall and assigned it to a group of rules, you can manage and enforce the rule settings as follows:

View/Edit–Right-click the rule to view it or edit its parameters.
Modify priority–Change priority within the group’s rules by moving its row up or down the rules list.
Delete/Disable — To stop the rule from being enforced, right-click on the rule and choose Delete/Disable. The rule will be disabled in all profiles that have this group.