Jump to content

Importing Firewall Rules Via Group Policy


Derlin

Recommended Posts

We recently started rolling out Endpoint Security. We were having some trouble running various tools leveraging RPC/WMI with the default rules, even though they worked fine under Windows Firewall. If I manually create rules locally or in the Remote Administration, I can get it to work, but I don't like ERAS since it forces me to lock users out of locally modifying rules if necessary. Since Windows Firewall worked, I tried the option to import the rules. That didn't work either, so I manually recreated Windows Firewall rules matching what was already there. That did work. Finally, I tried adding these rules to our Group Policy for Windows Firewall. These successfully applied, but Endpoint Security fails to read these rules. Can I change ES to read rules enforced by Group Policy, or is it limited to only local rules? The context sensitive help is not clear if this is an actual limitation.

Link to comment
Share on other sites

  • Administrators

Endpoint can be configured either locally or via ERA. There are no other options for security reasons. With ESMC (ERA v7), it will be possible to keep user-defined rules and append or prepend rules from ESMC:

image.png

As for honoring Windows Firewall rules, there's an option "Also evaluate rules from Windows Firewall". If enabled, all permissive rules from Windows Firewall will be honored. Note that blocking rules from Windows Firewall are not applied.
Important note: This doesn't work for firewall rules defined via GPO. The API we use returns only local rules. Rules defined by GPO are stored in the registry and their format may change over time.

image.png

Link to comment
Share on other sites

This is informative.  I look forward to ERA v7 and possibly any updates that honor GPO applied rules in the future.

The current context help for the "Also evaluate rules from Windows Firewall" does not explain that ruled defined by GPO will not be evaluated. Could the context help and web help be updated in a future version to clarify this?  Neither clearly makes this distinction. 

For my current situation, are there workarounds I could be missing?  The utilities initiate a connection over port 135, and the "Allow incoming RPC communication in the Trusted Zone" is enabled, as are all the default rules.  This part works okay.  Then, the tools (per Microsoft's description) negotiate a new random port in a given range.  This is the part where Endpoint Security blocks the connection without extra rules.  Are there additional presets I could use for this? 

Link to comment
Share on other sites

  • Administrators

You can disable ESET's firewall and continue using Windows firewall. The firewall will not evaluate rules, yet it will continue protecting computers from bots and malicious network communication.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...