Using Windows environment variables in XDR Firewall

Reply
L3 Networker

Using Windows environment variables in XDR Firewall

Hello,

 

Configuring host firewall via XDR and I cannot seem to get the Windows environment variables running.

Basically, there's an implicit deny for inbound/outbound connections, so there are applications that require some internal/localhost connections that are blocked. Due to this specific allow rule for such an application has to be made - based on the application path. 

Specific application I'm talking about - Zoom. I've created rule that allows %USERPROFILE%\AppData\Roaming\Zoom\bin\Zoom.exe and %USERPROFILE%\AppData\Roaming\Zoom\bin\Zoom_launcher.exe, but this is not working and it can be seen in the Event Viewer that this app is being blocked by WFP by the implicit deny rule.

If adding specific host firewall rule with full path (C:\Users\<username>\AppData\Roaming\Zoom\bin\Zoom.exe - app is working as expected, but that does not cover all the user cases, as this path depends on the user logged into the computer.

Documentation says that it should be possible to user these environment variables: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

"Enter the full path and name of a program you want the rule to apply to. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change."

 

Has anyone tried adding such a rules and did it succeed, is there any trick behind this?

L3 Networker

Hi @nikoo ,

 

Everything that you're doing sounds correct to me. And the fact that you were successful using the absolute path on one occasion indicates that you indeed have an environment variable issue. One question, however, on the target endpoint, if you enter "echo %USERPROFILE%" does it return "C:\Users\<username>?" If they match, then you have a bug with Cortex XDR agent, which should go to Support. If not, your variable has to be adjusted.

--gjenkins
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!