Which one is better between cortex XDR host firewall and windows firewall ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Which one is better between cortex XDR host firewall and windows firewall ?

L2 Linker

Hi All,

 

Is it a good idea to enable the XDR host firewall to manage all endpoint communication? or is it better to keep the default windows firewall enabled without using the XDR firewall?

 

I would be happier if someone suggests any article/documentation links which show a comparison between the XDR firewall and windows firewall in terms of features.

 

As per my understanding, the XDR firewall is better than the windows firewall but managing firewall rules is a bit difficult as it doesn't come with any default rules like the windows firewall. Please correct me if I'm wrong.

what would be the best approach to tackling this situation?

 

Thanks in Advance!!

 

Cortex XDR 

 

1 accepted solution

Accepted Solutions

L6 Presenter

Maybe just ask the Palo Alto XDR team to do a live demo and you could ask them for comparison between the Windows native firewall and the XDR agent one.

 

 

As pluses to the XDR host firewall one I will say that it supports enforcing different rules based on if the user is in the office/corporate network and outside and that you have single managment for not only windows workstations but also mac and linux as if you have users with different devices then you will manage the Windows firewall from active directory with GPIO and the MAC firewall with a tool like Jamf Pro etc. so it becomes complex. Also if you have or plan to have other Palo Alto products like the Palo Alto XSOAR and Palo Alto NGFW or Palo Alto Prisma Cloud with Defender Firewall then for example automations like when the XDR behavioral analytics or the NGFW see bad traffic to a destination then the XSOAR playbook automatically may also create Host Firewall rule that blocks the traffic to this destination for the XDR agents and the Prisma Cloud defender Firewall (basically similar to the XDR agent and host firewall on your workstations but the Prisma Cloud Defender agent and its firewall  are more for servers/containers and kubernetes defense). XSOAR also works with 3rth party systems but with Palo Alto it just has more options, features and premade playbook automation scripts.

 

 

---------

 

 

Configure Internal and External Rule Groups.

To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled,
Cortex
XDRenforces the host firewall rules based on the current location of the device within the internal organization network (
Internal Rules), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (
External Rules). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location
.
 
 
 
----------------

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

 

 

 

 

Edit:

 

 

 I also forgot to add that the Palo Alto XDR policies can be attached based on AD user and AD group as targets and this is something I do not know if it is possible for the windows firewall to not only be attached based on machine groups but also AD groups or ad users as for Microsoft Defender that uses the Windows firewall there was just the option to assign the protections based on machine attributes and not AD user/group.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/defin...

 

View solution in original post

7 REPLIES 7

L6 Presenter

Maybe just ask the Palo Alto XDR team to do a live demo and you could ask them for comparison between the Windows native firewall and the XDR agent one.

 

 

As pluses to the XDR host firewall one I will say that it supports enforcing different rules based on if the user is in the office/corporate network and outside and that you have single managment for not only windows workstations but also mac and linux as if you have users with different devices then you will manage the Windows firewall from active directory with GPIO and the MAC firewall with a tool like Jamf Pro etc. so it becomes complex. Also if you have or plan to have other Palo Alto products like the Palo Alto XSOAR and Palo Alto NGFW or Palo Alto Prisma Cloud with Defender Firewall then for example automations like when the XDR behavioral analytics or the NGFW see bad traffic to a destination then the XSOAR playbook automatically may also create Host Firewall rule that blocks the traffic to this destination for the XDR agents and the Prisma Cloud defender Firewall (basically similar to the XDR agent and host firewall on your workstations but the Prisma Cloud Defender agent and its firewall  are more for servers/containers and kubernetes defense). XSOAR also works with 3rth party systems but with Palo Alto it just has more options, features and premade playbook automation scripts.

 

 

---------

 

 

Configure Internal and External Rule Groups.

To apply location based host firewall rules, you must first enable network location configuration in your Agent Settings Profile. When enabled,
Cortex
XDRenforces the host firewall rules based on the current location of the device within the internal organization network (
Internal Rules), enabling you for example to enforce more strict rules when the device is outside the office and in a public place (
External Rules). If you disable the Location Based option, your policy will apply the internal set of rules only, and that will be applied to the device regardless of its location
.
 
 
 
----------------

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

 

 

 

 

Edit:

 

 

 I also forgot to add that the Palo Alto XDR policies can be attached based on AD user and AD group as targets and this is something I do not know if it is possible for the windows firewall to not only be attached based on machine groups but also AD groups or ad users as for Microsoft Defender that uses the Windows firewall there was just the option to assign the protections based on machine attributes and not AD user/group.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/defin...

 

L5 Sessionator

HI @MithunKT ,

 

Once you use Cortex XDR agent host firewall then the Windows firewall would be disabled by the agent as the agent will use the same API as the windows firewall. 

 

 

L6 Presenter

If you managed to get the needed answers, please flag the question as answered.

L1 Bithead

I am not a current XDR user, but am looking at it as a replacement for Trend Deep Security. The accepted solution implies that XDR provides a firewall for Linux endpoints, but then goes on to talk about the solution providing a better alternative to managing Windows and Mac Firewalls separately, with no mention of the Linux Firewall. It is my understanding that Cortex XDR does not provide a Linux endpoint firewall and there is no roadmap to do so. Please can someone correct me if I am wrong. I realize that this comment does not answer the question in any way, but the following might: I absolutely agree that managing the firewall using a better tool than Microsoft's GPO is desirable, however again the accepted solution implies that a GPO cannot be applied based on Active Directory Group membership. This is not strictly accurate, although I will admit it is a highly challenging undertaking. I would recommend using the Cortex XDR Firewall instead of the Windows Firewall, purely to simplify your operations.

hi @trevor_debeer ,

 

The query was associated for comparison between XDR agent host firewall or the Windows native firewall. As per the accepted solution, it implies that Cortex XDR gives you one fold and single management location for hardening your endpoint network layer security for both Windows and macOS endpoints. Managing via GPOs is definitely a big challenge and the accepted solution just gave a reference whether it is easy and completely doable based on AD objects.  For linux based host firewall, we have another product in our cloud security line, Prisma Cloud, which gives you that capability for linux boxes. Hope that answers your query.

 

Regards

 

On your query about Linux endpoints based host firewall, we do not have the feature to perform host firewall for linux as linux protection works on IPtables. Not sure if it is currently in the roadmap of not.  However, you can definitely run commands to take live terminal or run endpoint scripts to manage/create iptable rules on the linux endpoints using cortex xdr. 

L3 Networker

@trevor_debeer , in addition to NeelRohit answer, XDR is supporting endpoint isolation on Linux hosts which using iptables. XDR is capable to manage iptables but currently not supporting managing rule sets via XDR management console. 

Many thanks for this answer - it certainly clarifies or me how one would implement a comprehensive security strategy using the Palo Alto product set. I will definitely be looking at implementing Prisma for the network segmentation requirements and Cortex XDR for real-time operational security. The combination of both products will certainly meet our needs to provide all the functionality we currently use Trend Deep Security for.

  • 1 accepted solution
  • 3704 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!