When you enter a Host-based Firewall rule, use the following parameters.

IP Addresses

  • Only IPv4 addresses are allowed of the type xxx.xxx.xxx.xxx where each xxx is from 0-255.
  • Wildcard value of * is allowed to indicate all values.
  • CIDR values such as 192.168.1.0/24 are allowed.
  • Single IP addresses are allowed. For example, 192.168.1.5.
  • Single IP addresses with subnet ranges are allowed. For example, 10.10.1.100-10.10.1.150.
  • You can specify only one CIDR or one single IP address. Comma-separated IP addresses are not allowed.

Ports

  • Port number must be between 0 and 65535 (boundary values included).
  • Wildcard value of * is allowed to indicate all values.
  • Single port values are allowed; for example, 8050.
  • Port ranges are allowed; for example, 4000-5000. The start value must be smaller than the end value.
  • Multiple individual port values and port ranges can be specified, separated by a comma. For example, 8080, 443, 5000-6000, 9000-9050.

Application Paths

  • Maximum allowed application path length is 4096 characters.
  • Wildcard value * is allowed to indicate all values.
  • The following path name characters are not allowed:
    " * :
    < > ?
    | / %
  • If a path contains no pathname separators (backslash) and has no extension, it is considered a valid base name. For example, system or registry.
  • Path cannot end with a . or a whitespace.
  • Paths starting with drive letters are supported. For example, c:\test.exe.
  • DOS device paths are allowed. For example, \\?\globalroot\device\hardiskvolume1.
  • DOS GUID namesare allowed. For example, \\?\Volume{34b06610-97bc-4d11-b040-5c8a7bff1f41}\.
  • Alternate Data Stream (ADS) names are allowed. See File Streams.
  • UNC device paths are allowed.
  • Windows environment variables such as %System% are not allowed.

Host-based Firewall application path names must be honored by the Windows Filtering Platform (WFP). For example, the following paths are valid:

  • c:\example.txt
  • \\server-name\share-name\example.txt
  • \\server-ip\share-name\example.txt
  • \\?\globalroot\device\harddiskvolume1\example.txt
  • \\?\Volume{34b06610-97bc-4d11-b040-5c8a7bff1f41}\example.txt

Location aware firewall rules

You can use profiles with Host-based firewalls to provide location awareness. When using profiles, Carbon Black Cloud assigns separate security policies for each location or type of network connection:
  • Public - Open wifi networks, such as coffee shops or airports.
  • Private - User-assigned profile. Used to designate private or home networks.
  • Domain - By default, the domain profile applies to networks where the Windows device can authenticate to the domain controller. The domain profile is configured via the group policy corporate url.
You can select more than one profile per rule or rule group. When multiple profiles are selected, the active security policy is determined by the current network profile of the adapter on the device.
Note: The definitions of these networks types are based on the Windows firewall definitions. For more information on how Windows defines these network connections, see Firewall and network protection in Windows Security.

Rule and Rule Group Names

The maximum allowed length is 128 characters.

Rule Group Description

The maximum allowed length is 1024 characters.

Alert Severity

The alert severity score only displays for the Block and alert option in a rule group. You can choose an alert severity score between level 1 to level 10, with level 10 being the highest alert severity. By default, the alert severity score is set at level 4.