It is important to test your Host-based Firewall rules before you start enforcing the firewall rules in your policy so that you can analyze the impact of a rule before enforcing it in your environment.

Prerequisites

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select the policy.
  3. Click the Host-based Firewall tab.
  4. Expand the rule group that contains the rules to test.
  5. To the left of the rule, deselect the Status checkbox to disable the rule.
  6. To the right of the rule, click Test rule.
  7. To start testing, save the policy.

Results

Test data is generated on the Investigate page until you click Stop testing. An Investigate icon Image of Investigate icon displays to the right of the rule — you can click this icon to view test data associated with the selected rule.

During the test phase, any network traffic that is affected by the rule is indicated on the Investigate or Alerts pages. We recommend that you simulate real-world actions that trigger the rule. For example, if you create a rule to block access to FTP, try to access FTP and view those results on the Investigate page. You can identify any problems with your implementation and adjust the rule accordingly.

Note: To reduce noise on the Investigate and Alert Triage pages, Carbon Black can limit the number of events associated with an alert that a specific Host-based Firewall rule generates. This limit will never be less than 100 events.

What to do next