08-20-2022 12:31 AM
Hi All,
Is it a good idea to enable the XDR host firewall to manage all endpoint communication? or is it better to keep the default windows firewall enabled without using the XDR firewall?
I would be happier if someone suggests any article/documentation links which show a comparison between the XDR firewall and windows firewall in terms of features.
As per my understanding, the XDR firewall is better than the windows firewall but managing firewall rules is a bit difficult as it doesn't come with any default rules like the windows firewall. Please correct me if I'm wrong.
what would be the best approach to tackling this situation?
Thanks in Advance!!
08-21-2022 02:31 AM - edited 08-29-2022 09:34 AM
Maybe just ask the Palo Alto XDR team to do a live demo and you could ask them for comparison between the Windows native firewall and the XDR agent one.
As pluses to the XDR host firewall one I will say that it supports enforcing different rules based on if the user is in the office/corporate network and outside and that you have single managment for not only windows workstations but also mac and linux as if you have users with different devices then you will manage the Windows firewall from active directory with GPIO and the MAC firewall with a tool like Jamf Pro etc. so it becomes complex. Also if you have or plan to have other Palo Alto products like the Palo Alto XSOAR and Palo Alto NGFW or Palo Alto Prisma Cloud with Defender Firewall then for example automations like when the XDR behavioral analytics or the NGFW see bad traffic to a destination then the XSOAR playbook automatically may also create Host Firewall rule that blocks the traffic to this destination for the XDR agents and the Prisma Cloud defender Firewall (basically similar to the XDR agent and host firewall on your workstations but the Prisma Cloud Defender agent and its firewall are more for servers/containers and kubernetes defense). XSOAR also works with 3rth party systems but with Palo Alto it just has more options, features and premade playbook automation scripts.
---------
Edit:
I also forgot to add that the Palo Alto XDR policies can be attached based on AD user and AD group as targets and this is something I do not know if it is possible for the windows firewall to not only be attached based on machine groups but also AD groups or ad users as for Microsoft Defender that uses the Windows firewall there was just the option to assign the protections based on machine attributes and not AD user/group.
08-21-2022 02:31 AM - edited 08-29-2022 09:34 AM
Maybe just ask the Palo Alto XDR team to do a live demo and you could ask them for comparison between the Windows native firewall and the XDR agent one.
As pluses to the XDR host firewall one I will say that it supports enforcing different rules based on if the user is in the office/corporate network and outside and that you have single managment for not only windows workstations but also mac and linux as if you have users with different devices then you will manage the Windows firewall from active directory with GPIO and the MAC firewall with a tool like Jamf Pro etc. so it becomes complex. Also if you have or plan to have other Palo Alto products like the Palo Alto XSOAR and Palo Alto NGFW or Palo Alto Prisma Cloud with Defender Firewall then for example automations like when the XDR behavioral analytics or the NGFW see bad traffic to a destination then the XSOAR playbook automatically may also create Host Firewall rule that blocks the traffic to this destination for the XDR agents and the Prisma Cloud defender Firewall (basically similar to the XDR agent and host firewall on your workstations but the Prisma Cloud Defender agent and its firewall are more for servers/containers and kubernetes defense). XSOAR also works with 3rth party systems but with Palo Alto it just has more options, features and premade playbook automation scripts.
---------
Edit:
I also forgot to add that the Palo Alto XDR policies can be attached based on AD user and AD group as targets and this is something I do not know if it is possible for the windows firewall to not only be attached based on machine groups but also AD groups or ad users as for Microsoft Defender that uses the Windows firewall there was just the option to assign the protections based on machine attributes and not AD user/group.
08-21-2022 06:25 AM
HI @MithunKT ,
Once you use Cortex XDR agent host firewall then the Windows firewall would be disabled by the agent as the agent will use the same API as the windows firewall.
10-13-2022 02:21 PM
If you managed to get the needed answers, please flag the question as answered.
12-29-2022 11:38 PM
I am not a current XDR user, but am looking at it as a replacement for Trend Deep Security. The accepted solution implies that XDR provides a firewall for Linux endpoints, but then goes on to talk about the solution providing a better alternative to managing Windows and Mac Firewalls separately, with no mention of the Linux Firewall. It is my understanding that Cortex XDR does not provide a Linux endpoint firewall and there is no roadmap to do so. Please can someone correct me if I am wrong. I realize that this comment does not answer the question in any way, but the following might: I absolutely agree that managing the firewall using a better tool than Microsoft's GPO is desirable, however again the accepted solution implies that a GPO cannot be applied based on Active Directory Group membership. This is not strictly accurate, although I will admit it is a highly challenging undertaking. I would recommend using the Cortex XDR Firewall instead of the Windows Firewall, purely to simplify your operations.
12-29-2022 11:49 PM
hi @trevor_debeer ,
The query was associated for comparison between XDR agent host firewall or the Windows native firewall. As per the accepted solution, it implies that Cortex XDR gives you one fold and single management location for hardening your endpoint network layer security for both Windows and macOS endpoints. Managing via GPOs is definitely a big challenge and the accepted solution just gave a reference whether it is easy and completely doable based on AD objects. For linux based host firewall, we have another product in our cloud security line, Prisma Cloud, which gives you that capability for linux boxes. Hope that answers your query.
Regards
On your query about Linux endpoints based host firewall, we do not have the feature to perform host firewall for linux as linux protection works on IPtables. Not sure if it is currently in the roadmap of not. However, you can definitely run commands to take live terminal or run endpoint scripts to manage/create iptable rules on the linux endpoints using cortex xdr.
12-30-2022 01:34 AM
@trevor_debeer , in addition to NeelRohit answer, XDR is supporting endpoint isolation on Linux hosts which using iptables. XDR is capable to manage iptables but currently not supporting managing rule sets via XDR management console.
01-02-2023 11:09 PM - edited 01-02-2023 11:09 PM
Many thanks for this answer - it certainly clarifies or me how one would implement a comprehensive security strategy using the Palo Alto product set. I will definitely be looking at implementing Prisma for the network segmentation requirements and Cortex XDR for real-time operational security. The combination of both products will certainly meet our needs to provide all the functionality we currently use Trend Deep Security for.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
