Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Using Windows environment variables in XDR Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using Windows environment variables in XDR Firewall

L3 Networker

Hello,

 

Configuring host firewall via XDR and I cannot seem to get the Windows environment variables running.

Basically, there's an implicit deny for inbound/outbound connections, so there are applications that require some internal/localhost connections that are blocked. Due to this specific allow rule for such an application has to be made - based on the application path. 

Specific application I'm talking about - Zoom. I've created rule that allows %USERPROFILE%\AppData\Roaming\Zoom\bin\Zoom.exe and %USERPROFILE%\AppData\Roaming\Zoom\bin\Zoom_launcher.exe, but this is not working and it can be seen in the Event Viewer that this app is being blocked by WFP by the implicit deny rule.

If adding specific host firewall rule with full path (C:\Users\<username>\AppData\Roaming\Zoom\bin\Zoom.exe - app is working as expected, but that does not cover all the user cases, as this path depends on the user logged into the computer.

Documentation says that it should be possible to user these environment variables: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

"Enter the full path and name of a program you want the rule to apply to. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change."

 

Has anyone tried adding such a rules and did it succeed, is there any trick behind this?

1 REPLY 1

L4 Transporter

Hi @nikoo ,

 

Everything that you're doing sounds correct to me. And the fact that you were successful using the absolute path on one occasion indicates that you indeed have an environment variable issue. One question, however, on the target endpoint, if you enter "echo %USERPROFILE%" does it return "C:\Users\<username>?" If they match, then you have a bug with Cortex XDR agent, which should go to Support. If not, your variable has to be adjusted.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw
  • 2757 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!