The core functionality of the Carbon Black Cloud Host-based Firewall system is derived from rule groups and their inherent rules. To create a rule group, perform the following procedure.

Prerequisites

Select the Default Rule.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select the policy.
  3. Click the Host-based Firewall tab.
  4. Click Actions > Add Rule Group.
    1. Add a descriptive name to the new rule group. For example, FTP Rule Group.
    2. Add a description. This is optional but recommended.
    3. Add one or more rules to the rule group and rank them according to your environmental needs.
      Note: You must add at least one rule to a rule group before you can save the rule group. See Add Host-based Firewall Rules.
  5. In the Actions drop-down menu, choose the type of action for the rule group.
    • Allow
    • Block
    • Block and Alert
    A rule that is set to Block and alert blocks the communication and issues an alert to the Alerts page.
    Note: The alert severity score only displays for the Block and alert option. You can choose an alert severity score between level 1 to level 10, with level 10 being the highest alert severity. By default, the alert severity score is set at level 4.
  6. Click Save.
    Note: It can take up to 15 minutes for rules to update and begin enforcement on sensors.

What to do next

You can optionally add more rules to the rule group. Click the pencil icon next to the rule group on the Host-based Firewall tab to edit the rule group.

After you have finished adding rule groups, Enable the Host-based Firewall Sensor Setting.