topic XDR agent based firewall for locking down communication between DC's&SCCM in Cortex XDR Discussions

XDR agent based firewall for locking down communication between DC's&SCCM

DmitriPoberejnii — Fri, 14 Aug 2020 05:17:56 GMT

Hello everyone,

We are looking to implement agent based firewall rules to lock down the communication between DC's and SCCM servers we have 20+ of each and I am wondering what is the most feasible way of doing that? User Guide has pretty much no guidance on anything FW related. Any suggestions would be appreciated.

Re: XDR agent based firewall for locking down communication between DC's&am

dfalcon — Mon, 17 Aug 2020 19:08:17 GMT

Hi @DmitriPoberejnii-

The Cortex XDR host-based firewall is IP/port/protocol based as you would find in Windows Firewall. You would have to create entries for the IP's (IPv4 or IPv6) along with the port/protocol information to create the restrictions or allow lists. You would do this under Endpoints > Policy Management > Extensions > Profiles > New Profile > Host Firewall. Once created and saved, you would then apply the entries in your Host Firewall extension profile to an extension policy rule.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/hardened-endpoint-security/host-firewall.html

Re: XDR agent based firewall for locking down communication between DC's&am

DmitriPoberejnii — Mon, 17 Aug 2020 19:35:54 GMT

Thank you for trying to help here, unfortunately I cant call it a solution for a few reasons: 1) this document was reviewed prior to posting the question here and it is not complete for many reasons 2) It is not apples to apples comparison with Windows firewall. One example of that would be inability to list IP's in the rules using comma, only ranges or individual IP's. I hope Engineering would change that at some point soon.