Host Firewall

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Host Firewall

L3 Networker

Hello Team,


We intend to enable the Host Firewall feature in the Cortex XDR. Please give us a brief overview of how this feature works.




L3 Networker

Hi @RamyashreeMada,


The Host Firewall feature is able to control communications among your endpoints and gain additional visibility toward network connections. This is composed of user created rules that are enforced hierarchically and created through Host Firewall rule groups, profiles and policies.


Assuming the Host Firewall requirements and prerequisites are met, the feature works by:


  • Creating Host Firewall Rule Groups (Endpoints -> Host Firewall -> Host Firewall Rule Groups -> New Group) and defining your Firewall rules. This can include the platform, protocol, direction, action, local/remote IP address, etc.
  • Configuring an Extensions Profile and attributing the created rule group to your profile. Different rules can be attributed toward Internal and External rule groups depending on the devices location inside and outside the network
  • Configuring an Extensions Policy. This will allow you to select your created Host Firewall profile and enforce it toward a targeted group of endpoints
  • Monitor and Troubleshoot.  If Report Matching Traffic is enabled during rule creation, Host Firewall Events can be viewed under Endpoints -> Host Firewall -> Host Firewall Events. Cortex XDR Pro customers can also view these events under the “host_firewall_events” dataset in the XQL search.


Some additional Host Firewall resources:


Cortex XDR How-To Video: Host Firewall - How-To video on the topic of Host Firewall. This video walks through the creation of a Host Firewall rule alongside a demo.

Host Firewall documentation - Covers pre-requisites and an in-depth overview of Host Firewall creation on Windows and Mac.


L3 Networker

How will defining firewall rules be applicable for each system?

Do we need to define it for particular systems or will it be automatically applicable to all endpoints in the XDR?

You need to define it for particular endpoints. This is relevant at Step 3 (Configuring an Extensions Policy) of the workflow I mentioned. Once the Host Firewall Rule Groups are created along with an associated profile, the rules will be applied once selected in the Extensions Policy Creation and the targeted endpoints are established.



Is it a good idea to enable the XDR host firewall to manage all endpoint communication? or is it better to keep the default Mcafee Agent Firewall enabled without using the XDR firewall?


Can both be run simultaneously? Will there be any issues.  

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!