Falcon Firewall Management - Documentation - Support - Falcon

11/6/2020 Falcon Firewall Management | Documentation | Support | Falcon
CROWDSTRIKE CONFIDENTIAL
Falcon Firewall Management
Contents:
Overview
Before you begin
Requirements
Understanding Falcon Firewall Management
Implementation overview
Managing your firewall rules and rule groups
Getting to your firewall rule groups and rules
Creating a new firewall rule group
Editing a firewall rule group’s basic info
Creating a new firewall rule
Editing a rule
Firewall rule dialog fields
Firewall Rule ID and versions
Firewall rules precedence
Enabling or disabling firewall rule groups and rules
Deleting firewall rule groups and rules
Viewing a firewall rule group’s assigned firewall policies
Auditing firewall rule and rule group changes
Managing your firewall policies
About Falcon policies
Getting to your firewall policies
Creating a new firewall policy
Assigning firewall rule groups to a firewall policy
Editing firewall rule group precedence in a firewall policy
Removing a firewall rule group from a firewall policy
Configuring firewall policy settings
Firewall Default Policy
Editing firewall policy precedence
Seeing the order firewall rules are applied in a firewall policy
Assigning host groups to firewall policies
Enabling or disabling a firewall policy
Deleting a firewall policy
Falcon firewall policy FAQ
Viewing Firewall Events
Activity > Firewall Events
Network Auditing in Windows
Appendix: CrowdStrike Core Windows Networking Firewall Rules
https://falcon.eu-1.crowdstrike.com/support/documentation/106/falcon-firewall-management 1/29
Overview
Centrally manage the firewalls on your Windows from Falcon console using Falcon Firewall Management, based on the Windows
Filtering Platform. Secure your hosts from network threats by allowing or blocking network traffic in accordance with your
organization’s policies.
Before you begin
Read Host and Host Group Management for more about creating host groups. Firewall policies are enforced on hosts via host
groups.
Requirements
Subscription: Requires Falcon Firewall Management subscription. Contact Sales for info.
Sensor Support: Falcon sensor for Windows version 5.26 and later.
NOTE: If a Falcon firewall policy is applied to a host running an earlier sensor version, the host will have a firewall
policy state of pending changes until it updates to a sensor that supports Falcon firewall management.
Roles:
Firewall Manager: Create and edit firewall rules, assign firewall rule groups to firewall policies, and assign firewall policies to
host groups.
NOTE: the Firewall Manager role doesn’t include the ability to create and edit host groups themselves. The Falcon
Administrator role is required for host group management.
These roles can view firewall rules, rule groups, policies, and audit logs:
Falcon Administrator
Falcon Analyst
Falcon Analyst - Read Only
Falcon Investigator
Falcon Security Lead
Understanding Falcon Firewall Management
With Falcon Firewall Management, create firewall rules, rule groups, and polices to precisely define what network traffic is allowed
and blocked. When enforced, Falcon’s firewall policies override the firewall settings on each assigned host.
Rules: Individual firewall rules define precise network traffic that is allowed or blocked and whether you want to see associated
events in the console.
Rule Groups: Firewall rules are created and organized within firewall rule groups. You may choose to start with an empty group
and build it out, or start with a CrowdStrike preset rule group, a collection of core rules that you can edit for your needs. You may
also start a new rule group by copying one of your own groups to edit as needed. Rules are enforced in the precedence order you
define in their rule group.
Policies: Firewall rule groups organize your firewall rules so that they can be easily assigned to firewall policies. A firewall policy is
then configured to allow or block any remaining incoming and outgoing network traffic that is not defined by its assigned rules.
Rule groups can be assigned to multiple firewall policies.
Firewall rule groups are enforced in the precedence order you define within a policy.
Firewall policies work like other Falcon policies:
They are applied to individual hosts through host groups.
Policy precedence handles situations where a host is assigned to more than one policy.
In order to affect assigned host groups, they must be enabled.
Implementation overview
Implementing a set of Falcon firewall rules and policy to secure your hosts from network threats involves these key steps:
PLANNING AND PREPARATION
Map your organization’s firewall requirements to Falcon Firewall Management rules.
Determine the network traffic you need to allow, block, and see events about.
Decide how you want to organize your rule groups.
Make sure you have host groups that are aligned with how you need to apply firewall policies.
CREATING FIREWALL RULE GROUPS AND RULES
Create firewall rule groups to logically group firewall rules
Define the traffic you will allow and block in your firewall rules
Enable your rules and rule groups
CREATING FIREWALL POLICIES
Create your firewall policies
Assign firewall rule groups
Configure policy settings
ASSIGN HOST GROUPS AND ENABLE FIREWALL POLICIES
Assign test host group(s) to firewall policies
Enable the firewall policy
TESTING AND TROUBLESHOOTING
We recommend you always test new firewall rules on a small set of test hosts (e.g. in a lab or QA environment) and start simple
with a single rule group and policy. Be as specific as possible about the network traffic you allow, and block everything else. Test
and troubleshoot to confirm the desired behavior before building out the policy or applying it to a production environment.
Falcon provides two options to report firewall events in Activity > Firewall Events during testing:
At the individual rule level, turn on Watch mode to report all matching traffic.
At the policy level, temporarily turn on Monitor mode to allow traffic that would normally be blocked by the policy and report all
associated events.
ROLLOUT/GO LIVE
Build out your firewall rule groups, rules, and policies.
Assign host groups to policies.
Enable the policies.
Improper implementation of firewall rules can cause a major outage that requires manual remediation. Though CrowdStrike has
certain safeguards in place to reduce the risk, always be aware of the potential impact Firewall rules may have on your
environment. We protect key connections between the Falcon sensor and cloud in order to prevent customers from creating rules
that interfere with that vital traffic. Other safeguards include protecting not blocking loopback connections, and including core
rules in every firewall policy. Every firewall policy has CrowdStrike’s preset set of core networking firewall rules baked in. These
are processed before all other firewall rules in each policy and are similarly designed to prevent blocking of vital connections.
Managing your firewall rules and rule groups
Getting to your firewall rule groups and rules
Go to Configuration > Firewall Rule Groups to see your firewall rule groups. On this page, you can filter the rule groups you see in
the list. Click any rule group to expand a quick view list of its firewall rules.
Click an Edit rule group icon to go to that rule group’s Rule group details.
Rule group details opens to a view of the the Rules tab. Use the icons on the top right of the table for Table export options and
Toggle table options to customize the columns you see.
In the Actions column, click an Edit rule icon to see and edit an individual firewall rule.
Creating a new firewall rule group
To begin setting up your organization’s firewall in Falcon console, create a rule group.
. Go to Configuration > Firewall Rule Groups.
. On the Firewall Rule Groups page, click Create rule group.
. In the New rule group details dialog, give your rule group a name and description. Click Next to continue.
. There are three options to start a new firewall rule group. Start from scratch or modify an existing rule group. Select an
option and click Create Rule Group.
Empty rule group makes a new group that contains no rules.
Rule group you’ve created lets you make a copy of one of your existing firewall rule groups, including new copies of each
of its firewall rules. Select one of your rule groups to copy and click Create Rule Group.
CrowdStrike preset rule group lets you make a rule group with our collection of core networking firewall rules. Select the
CrowdStrike preset rule group to copy and click Create Rule Group.
. Your firewall rule group is created, and you see the Rules tab of its Rule group details.
. Next: Create new firewall rules and/or Edit the rules in the group.
Editing a firewall rule group’s basic info
You can edit the name and description of a rule group at any time.
. Go to the Configuration > Firewall rule groups page and click the Edit rule group icon for the rule group you want to edit.
. On the Rules tab of the Rule group details, click the Edit rule group button in the upper right.
. Make your changes in the Edit rule group dialog and click Save.
Creating a new firewall rule
The details of firewall settings are defined in individual rules, created within rule groups. To add a rule:
. Go to the Configuration > Firewall rule groups page and click the Edit rule group icon for the rule group where you’ll add your
new rule.
. On the Rules tab of the Rule group details, click Create new rule.
. In the Add new firewall rule dialog, define the rule in the firewall rule dialog fields.
. Click Add Firewall Rule.
. On the Rules tab of Rule group details, click Save.
Editing a rule
All existing firewall rule parameters can be edited. See Firewall rule versions and rule IDs for information about what changes
when edits are made.
. Go to the Configuration > Firewall rule groups page and click the Edit rule group icon for the rule group where you’ll add your
new rule.
. On the Rules tab of the Rule group details, click an Edit rule icon in the Actions column to see and edit an individual firewall
rule.
. Make your changes in the firewall rule dialog fields and click Edit Firewall Rule.
Firewall rule dialog fields
Name: Give this Firewall rule a name that will be recognizable when viewing rules in Firewall Rule Groups and Firewall Policies.
Description (optional): Enter information such as why this rule exists and what it’s used for.
Platform: Windows
Address Family: Your selection determines how address formats you enter in the Local Address and Remote Address fields are
parsed and validated.
If you are creating a rule that defines addresses, select the protocol you’re using:
IPv4
IPv6
Select None if you’re creating a rule for ports only.
Local Address and Remote Address: Enter the local IP address(es) and remote IP address(s) the rule will match, if any. Related
Firewall Events report the exact address involved in the connection that match the rule. The Local Address and Remote Address
fields support the same values:
Important: every address defined in these fields must be either IPv4 OR IPv6, matching the protocol selected in
Address Family for this rule.
IPv4: Define using one of these formats:
A single IP address
Commas and hyphens (limited to 1,000 identified addresses)
CIDR notation with a network prefix as a single integer from 1-32, inclusive
IPv6: Define a single IP address or use CIDR notation to define an address range. Single integers from 1-128, inclusive
Examples of acceptable address ranges:
192.168.0.0/8
10.0.0,1,3-7.-
fe80::a8bb:ccff:fedd:eeff
1022::beef:168:aa30:a09/120,
5aef:2b::8/112
::1
Example of a range that would be rejected:
192.168.1-254.1-254
Local Port and Remote Port: Enter the local port(s) and remote port(s) the rule will match, if any. Format the Local Port and
Remote Port fields using these supported parameters:
Single port value: Define with an integer from 1 to 65535.
Ranges of port numbers: Define using a hyphen. For example, 3000-4000.
Combinations of single values and ranges in a single rule: Define using an array. For example, 22, 80-88.
Action: Select an option:
Allowed: Defined network connections are permitted
Blocked: Defined network connections are denied
Direction: Select an option:
Inbound: Rule will apply to network traffic from the Remote Address/Port to the Local Address/Port.
Outbound: Rule will apply to network traffic from the Local Address/Port to the Remote Address/Port.
Inbound and outbound: Rule will apply to all network traffic between the Remote Address/Port and the Local Address/Port.
Protocol: Define network protocol(s). You can select multiple options:
Any
TCP
UDP
ICMPv4
ICMPv6
Advanced
When you select Advanced, the Protocol Number field is made available so you can enter the next level protocol, also known as
the transport layer protocol:
-IPv4: Protocol field
-IPv6: Next Header field
See the Internet Assigned Numbers Authority's (IANA) official list of protocols: iana.org
Watch Mode: Select this option to see the events associated with this rule in Activity > Firewall Events. You may want to use this
setting for troubleshooting, testing a newly added firewall rule, or monitoring a critical firewall rule.
Network Profile: Specify the Windows network location profile(s) where this firewall rule should be applied:
Any
Domain
Private
Public
Executable Filepath (optional):
Use this field to create a process-specific firewall rule. For example, this can be useful if you need to allow a program in a certain
folder access to a port that is blocked to all other traffic by another firewall rule. When this field is blank the rule is applied for all
processes. The value can start with:
A drive letter such as C: or D:
One of the two special names:
%SystemRoot% usually means C:\windows
%SystemDrive% usually means C:
The value can also be a fully specified UNC path for network locations, such as: \\server\share\file\to\path.exe.
This field does not support wildcards.
This field does not support ping.exe
The value can also be a fully specified UNC path for network locations, such as: \\server\share\file\to\path.exe .
NOTE: If the sensor can’t resolve the drive letter entered in this field when the rule is enforced, it reports a
FirewallRuleApplicationFailed event in Activity > Firewall Events.
Service Name (optional): Enter a specific service name for the rule to match. This is converted to a Service SID, which Windows
Filtering Platform can match. When this field is blank the rule is applied for all services.
CONFIGURING FIREWALL RULES FOR DOMAIN CONTROLLER
See Microsoft’s documentation for more information about defining rules for domain controller.
Firewall Rule ID and versions
When new firewall rules are created, they are automatically assigned a unique Rule ID and Version. These attributes are both
available on the Rules tab of the Rule group details and in the details of all firewall events shown in Activity > Firewall Events.
A firewall rule’s Rule ID number always stays the same. When rules are copied, the copies of the rules each get their own unique
Rule ID.
A rule’s Version number changes each time it’s edited. This makes it possible to distinguish firewall events from different versions
of the same rule. From the details panel of any firewall event, click the Rule Name or Rule Version to go to the parameters defined
in the specific version of the rule that triggered the event.
Firewall rules precedence
Firewall rules are processed according to precedence (sequential order) within their rule groups, so it is important to consider
this when configuring a group. For example, strict rules should have a higher precedence than generic rules. You can reorder
rules on the Rules tab of a Rule group details page (Configuration > Firewall rule groups, click the edit icon for a rule group).
. Click Edit precedence to activate the UP/DOWN arrow controls.
. Use the arrows to change the precedence order of your rules.
. Click Save to keep your changes.
Enabling or disabling firewall rule groups and rules
Like policies, rule groups and the rules within them must be enabled in order for them to take effect on hosts.
RULE GROUP
Enable or disable a rule group from the Rules tab of a Rule Group Details page (Configuration > Firewall Rule Groups, click the edit
icon for a rule group).
The options to Enable/Disable the rule group is in the upper right corner.
RULE
Enable or disable an individual rule from the Rules tab of a Rule group details page (Configuration > Firewall Rule Groups, click the
edit icon for a rule group).
. Select a rule or rules to activate the options.
. Click the option to Enable or Disable above the table.
Deleting firewall rule groups and rules
RULE GROUP
Delete a firewall rule group you no longer need from its Rules tab of a Rule group details page (Configuration > Firewall Rule
Groups, click the edit icon for a rule group). The option to Delete the rule group is in the upper right corner.
RULE
Delete firewall rules you no longer need from the Rules tab of a Rule group details page (Configuration > Firewall Rule Groups, click
the edit icon for a rule group).
. Select a rule or rules to activate the options.
. Click the option to Delete on the upper left.
. In the dialog, click Delete Rules on Save to confirm.
Viewing a firewall rule group’s assigned firewall policies
Firewall rule groups take effect on hosts through their assigned firewall policies, as configured in Firewall Policies. You can see
which policies each rule group is assigned to in its Rule group details.
Go to the Configuration > Firewall rule groups page and click the Edit rule group icon for the rule group you want to see. Click the
Firewall Policies tab to view the firewall policies the rule group is in, and click Go to policies to go to the Firewall Policies page.
See Assigning firewall rule groups to a firewall policy for more information.
Auditing firewall rule and rule group changes
CrowdStrike automatically audits all changes to firewall rules and rule groups. There are two types of audit logs available to view
changes to your firewall rules:
First is the main Firewall rule groups audit log, available from the Firewall rule groups page.
Review the full revision history of every firewall rule and rule group in your organization. To reach this audit log, click See audit
log in the top right corner of the Firewall rule groups page.
Each firewall rule group also has its own Audit Log tab, available on its Rule group details page. This contains the revision history
of firewall rules within that specific rule group.
Sort columns to group your view of the log. Logged revisions are defined in the Action column as Created, Updated, or Deleted.
Click any revision to see its Details panel:
For updates to rule groups, the revision’s details include whether it was enabled or disabled.
When individual rules have been updated, see the detailed changes that were made.
Managing your firewall policies
Use firewall policies to apply the rules in your firewall rule groups to your hosts. You can have a total of 100 firewall policies,
including the Default Policy.
About Falcon policies
A policy is a collection of settings. Falcon includes many types of policies for specific purposes: prevention policies, sensor
update policies, and more. All policies work the same way:
. Create the policy and configure its settings
. Assign the policy to one or more host groups
. Falcon applies the policy settings to each host based on its host group membership and policy precedence
If a host doesn't belong to any host groups assigned to a policy, it automatically uses the settings defined in the default policy.
Getting to your firewall policies
Go to Configuration > Firewall Policies to see your firewall policies. Click any policy to expand a quick view list of host groups
assigned to it.
Click an Edit Policy icon on the right to see details and edit an individual policy.
Policy details are configured and displayed on four tabs:
Settings: Where to define whether and how the policy is applied to assigned host groups.
Assigned Host Groups: Where to define which host groups will use the settings of the policy if it is enforced.
Assigned Rule Groups: Where to assign the firewall rule groups to the policy, and the order in which they are enforced.
Rules Summary: Shows all of the individual firewall rules in the policy’s assigned firewall rule groups in the order in which they
are enforced.
Creating a new firewall policy
Create your organization’s firewall policies to enforce your firewall rules on host groups.
. Go to Configuration > Firewall Policies and click Create new policy.
. In the Create Policy Details dialog, give your policy a name and description. Click Next to continue.
. There are two options to start a new firewall policy. Start from scratch or modify an existing policy.
Empty Policy makes a new policy that contains no rule groups.
Existing Policy lets you make a copy of one of your firewall policies with all of its assigned rule groups (but not host
groups). Select one of your policies and click Create Policy.
. Your firewall policy is created, and you see the Settings tab of its Policy details.
. Next: Assign rule groups to the policy.
Assigning firewall rule groups to a firewall policy
Add firewall rule groups your organization’s firewall policies so you can enforce your firewall rules on host groups.
. Go to Configuration > Firewall Policies and click the Edit Policy icon for the policy you want to assign rules groups to.
. Go to the firewall policy’s Assigned rule groups tab, and click Assign rule groups.
. In the Assign firewall rule group dialog, select rule group(s), and click Assign to Policy.
. Your selections are added to the list of Assigned rule groups in the position of lowest precedence.
. Next: edit firewall rule group precedence.
NOTE: Assigning a rule group to a policy does not change the rule group’s enabled or disabled status. Quickly get to a rule
group’s details by clicking the Edit icon in the Actions column to enable or disable it.
Editing firewall rule group precedence in a firewall policy
Firewall rule groups are processed according to precedence (sequential order) within the firewall policies they’re assigned to, so
it’s important to consider this when configuring a policy. For example, rule groups with strict rules should have a higher
precedence than more generic rule groups.
Reorder rule group precedence on a policy’s Assigned rule groups tab (Configuration > Firewall Policies, click the edit icon for a
policy).
Removing a firewall rule group from a firewall policy
You can remove firewall rule groups from firewall policies. This does not delete the firewall rule group or the rules with it.
. Go to Configuration > Firewall Policies and click the Edit Policy icon for the policy. you want to assign rules groups to.
. Go to the firewall policy’s Assigned rule groups tab.
. Click the option to Remove in the Actions column.
Configuring firewall policy settings
Use the Settings tab of an individual firewall policy to configure whether and how the policy is applied. Go to Configuration >
Firewall Policies and click the Edit Policy icon for a policy.
POLICY ENFORCEMENT AND MONITORING
Enforce Policy: Turn on this setting to apply the policy’s rules on the hosts in the assigned host groups. This disables the hosts’
native firewall rules and overrides the firewall settings.
Monitor Mode: Turn on this setting to allow traffic that would normally be blocked by the policy and report all associated
events in Activity > Firewall Events, where the Action taken for these events is labeled Would be blocked. This includes traffic
from the policy’s:
Firewall rules configured with a Blocked action
Default traffic rules set to Block All Inbound or Outbound traffic.
NOTE: During testing, if the noise is too high, or you need to determine whether the firewall events you’re seeing are from a
firewall rule or default traffic rule: temporarily set the default traffic rules to Allow All. Remember to switch them back to the
desired setting when you finish testing and disable Monitor Mode.
DEFAULT TRAFFIC RULES
Configure default rules to Allow All or Block All of the Inbound traffic or Outbound traffic that is not otherwise specified by the
policy’s assigned firewall rules.
CrowdStrike recommends setting your default rule for Inbound traffic to Block All.
Firewall Default Policy
Throughout Falcon policies, the Default Policy is the last policy in the order of precedence. It’s applied to all hosts that aren’t
assigned to another enabled policy. As an added safeguard, the Falcon Firewall Management’s Default Policy is standardized so
that it cannot be enforced. This guarantees that any hosts that aren't assigned to one of your Firewall policies will use their own
native firewall settings.
You can also create your own conservative “catch all” policy for your hosts that aren’t assigned to another enabled firewall policy.
To have this firewall policy take effect on your unassigned hosts instead of the updated default, enable the policy, position it in
the last place of policy precedence before the Default Policy, and assign all of your host groups to it.
Editing firewall policy precedence
Like other falcon policies, firewall policies are processed according to precedence (sequential order) on the hosts they’re
assigned to, so it’s important to consider this when configuring your organization’s firewall policies.
Policy precedence lets you configure your Firewall policies so that when a policy is disabled, host groups adopt the next highest
ranking enabled policy they’re assigned to.
Reorder policy precedence on the Firewall Policies page (Configuration > Firewall Policies).
Policy precedence determines which policy's settings are applied to a host. To handle situations where a host may be a member
of more than one policy, Falcon policy management has the concept of policy precedence. This means that you may define which
policies have a higher precedence to resolve conflicts. Then, when faced with a conflict, the cloud will automatically apply the
policy with the higher precedence (1 being higher than 2, which is higher than 3, etc.).
On a host, the policy with the highest ranking precedence (1 being highest) is applied and active. If something changes with that
highest-ranking policy, for example if it gets disabled, then the next highest-ranking policy gets applied and becomes active.
Each host can belong to one or more host groups. Host groups can be assigned one or more policies. With dynamic groups, a
newly-installed sensor inherits the relevant groups and applies the policy with highest precedence to the host. This provides the
host with its initial policy settings.
If a host is not a part of any groups, or the groups it belongs to has no policies assigned, it is automatically assigned to the
default policy.
Seeing the order firewall rules are applied in a firewall policy
Since firewall rules are processed in precedence order within their rule group, and rule groups are processed in precedence order
within a policy, it can be hard to visualize the order in which all the rules will be processed in a policy, keep track of which rules
are enabled and disabled, or quickly update the rules. Because of this, Falcon provides a list of firewall rules in each policy. This
listing does not include the core networking firewall rules. This summary shows them in the order they’re processed and provides
Edit rule icons to easily make changes:
. Go to Configuration > Firewall Policies and click the Edit Policy icon for a policy.
. Go to the Rules Summary tab.
Assigning host groups to firewall policies
Assign host groups to a firewall policy from the policy. The hosts assigned to a firewall policy are shown on the policy’s Assigned
host groups tab and in its expanded row view on the main firewall policies page.
To assign a host group within Firewall Policies:
. Go to Configuration > Firewall Policies and click the Edit Policy icon for a policy.
. Go to the Assigned host groups tab.
. Click Add groups to policy in the upper-right.
. In the Add Groups to Policy dialog, select one or more host groups.
. Click Add Groups to Policy.
. Your host group selections are assigned to the policy.
Enabling or disabling a firewall policy
A firewall policy must be enabled (through the policy’s Settings tab), and enforced for the Falcon firewall rules to take effect on
hosts. When an enforced firewall policy is enabled from Falcon console, Falcon’s firewall rules take full precedence over the
individual hosts’ in the assigned host group(s) existing Windows firewall settings. Any Windows firewall settings, such as those
created via Windows group policies, remain on the system but do not function.
When a firewall policy is disabled, hosts adopt the settings and rules from the next firewall policy they are assigned to according
to precedence. If a host doesn't belong to any host groups assigned to a firewall policy, it automatically uses the settings defined
in the default firewall policy.
When a host group is no longer assigned to any firewall policies that are both enforced and enabled, the Falcon firewall will be
removed from its hosts. Since Falcon does not remove pre-existing Windows firewall settings from individual hosts, when a host
stops receiving firewall policy from Falcon, it falls back to its Windows firewall settings.
To enable or disable a policy:
. Go to Configuration > Firewall Policies and click the Edit Policy icon for a policy
. On the Settings tab of the Policy Details page, click Enable/Disable.
Deleting a firewall policy
Permanently remove a firewall policy by deleting it. You must disable the policy before you can delete it.
. Go to Configuration > Firewall Policies and click the Edit Policy icon for a policy
. On the Settings tab, click Delete.
Falcon firewall policy FAQ
What happens to the hosts in an assigned host group when a Falcon firewall policy is disabled?
Policy precedence allows you to configure your Firewall policies so that when a policy is disabled, host groups adopt the next
highest ranking enabled policy they’re assigned to. If a host group is not assigned to any enabled policy, then the hosts adopt the
default policy.
What happens on hosts in assigned host group(s) when a Falcon firewall policy is enforced?
When a firewall policy is set to enforce from Falcon console, Falcon’s firewall rules take full precedence over the individual hosts
in the assigned host group(s) existing Windows firewall settings. Any Windows firewall settings, such as those created via
Windows group policies, remain on the system but do not function.
What happens to a host’s firewall settings if the Falcon sensor is removed, or if it isn’t assigned to any enforced firewall policies?
Since Falcon does not remove pre-existing Windows firewall settings from individual hosts, if it stops receiving firewall policy
from Falcon, the host will fall back to its Windows firewall settings.
Is there any visual indication on host machines to show that Falcon is in control of its firewall settings?
Yes, a message appears in the Windows Firewall settings.
NOTE: The Windows Firewall settings show the settings that the host would revert to if Falcon firewall policy was removed.
Admins can modify the Windows firewall on hosts while Falcon is managing the firewall, but the changes won’t take effect unless
the host stops receiving firewall policy from Falcon.
Viewing Firewall Events
Activity > Firewall Events
Go to Activity > Firewall Events to see events associated with firewall rule and policy matches.
Falcon records the two kinds of firewall events:
It records events associated with traffic that matches your firewall rules that have Watch mode enabled.
When a policy is in Monitor mode, it records all events associated with two kinds of traffic:
Traffic that matches its assigned firewall rules that have Watch mode enabled.
Traffic that matches the policy’s Default traffic rules and assigned firewall rules that would be blocked if Monitor mode was
turned off. The Action taken for these events is labeled Would be blocked.
Click any firewall event’s row to expand its details.
Network Auditing in Windows
While using Falcon Firewall Management, you can enable Windows Filtering Platform’s auditing of firewall-related events on a
host to view them in the Windows Security Log for that host.
To enable this reporting, run:
auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
See Windows documentation for more information.
Appendix: CrowdStrike Core Windows Networking
Firewall Rules
These rules are automatically enabled on every firewall policy, and are processed before all other rules. There is also an option
available to copy these rules when starting a new rule group. These core rules are periodically edited and added to. To see the
most up-to-date list, create a new rule group using the CrowdStrike preset rule group option.
Status Rule name Description Traffic direction Action to take Event frequency P
Allow ICMPv6 type

ICMPv6 Neighbor 135 In and Out to
Enabled Both Allowed 0 / 0ms ICMPv6
Solicitation and from the
System process
Allow ICMPv6 echo

Receive ICMP ping
Enabled reply Inbound to the In Allowed 0 / 0ms ICMPv6
reply
System process
Allow ICMPv6 type

ICMPv6 Multicast 130 In and Out to
Listener Query and from the
System process
Allow IGMP
Internet Group (Internet Group
Enabled Management Management) In Both Allowed 0 / 0ms 2
(IGMP) and Out to and from
the System process
Allow ICMPv6 type

Listener Report and from the
System process
Allow DHCP In and

Enabled DHCP on IPv4 Out to and from the Both Allowed 0 / 0ms UDP
Dhcp service
Allow TCP Out from

Microsoft DS Group the Group Policy
Enabled Out Allowed 0 / 0ms TCP
Policy service when on the
Domain
Allow DNS Out from

Enabled DNS request the Dnscache Out Allowed 0 / 0ms UDP
service
Allow UDP Out from

Network Time
Enabled the W32Time Out Allowed 0 / 0ms UDP
Protocol
service to NTP port
Allow TCP from the

System process to
Microsoft DS
Enabled DS network share Out Allowed 0 / 0ms TCP
Network Sharing
port when on the
Domain
Allow ICMPv6 type

ICMPv6 Multicast
143 In and Out to
Enabled Listener Report Both Allowed 0 / 0ms ICMPv6
and from the
version 2
System process
Allow DHCPv6 In
Enabled DHCP on IPv6 and Out to and from Both Allowed 0 / 0ms UDP
the Dhcp service
Allow ICMPv6 type

ICMPv6 Parameter 4 In and Out to and
Problem from the System
process
Allow ICMPv6 type

ICMPv6 Neighbor 136 In and Out to
Advertisement and from the
System process
Allow ICMPv6 type

ICMPv6 Packet Too 2 In and Out to and
Big from the System
process
Allow ICMPv6 type

Listener Done and from the
System process
Allow TCP Out from

Enabled Lsass the lsass process Out Allowed 0 / 0ms TCP
when on the Domain
Allow ICMPv6 type

ICMPv6 Router 133 In and Out to
Solicitation and from the
System process
Allow ICMPv6 type

ICMPv6 Router
Enabled 134 Out from the Out Allowed 0 / 0ms ICMPv6
Advertisement out
System process
Allow ICMPv6 type

ICMPv6 Router
Enabled 134 Into the System In Allowed 0 / 0ms ICMPv6
Advertisement in
process
Allow ICMPv6 type

ICMPv6 Time 3 In and Out to and
Exceeded from the System
process
Receive ICMP
destination Allow ICMPv4 type
Enabled unreachable - 3 code 4 Inbound to In Allowed 0 / 0ms ICMPv4
fragmentation the System process
needed reply

Falcon Firewall Management - Documentation - Support - Falcon

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Falcon Firewall Management - Documentation - Support - Falcon

Uploaded by

Copyright:

Available Formats

11/6/2020 Falcon Firewall Management | Documentation | Support | Falcon

Before you begin

Falcon Analyst - Read Only

Falcon Security Lead

Rule groups can be assigned to multiple firewall policies.

Firewall policies work like other Falcon policies:

They are applied to individual hosts through host groups.

In order to affect assigned host groups, they must be enabled.

PLANNING AND PREPARATION

Map your organization’s firewall requirements to Falcon Firewall Management rules.

Decide how you want to organize your rule groups.

CREATING FIREWALL RULE GROUPS AND RULES

Create firewall rule groups to logically group firewall rules

Enable your rules and rule groups

CREATING FIREWALL POLICIES

Create your firewall policies

Assign firewall rule groups

Configure policy settings

ASSIGN HOST GROUPS AND ENABLE FIREWALL POLICIES

Assign test host group(s) to firewall policies

Enable the firewall policy

TESTING AND TROUBLESHOOTING

Build out your firewall rule groups, rules, and policies.

Assign host groups to policies.

Enable the policies.

Getting to your firewall rule groups and rules

Creating a new firewall rule group

. Go to Configuration > Firewall Rule Groups.

. On the Firewall Rule Groups page, click Create rule group.

Empty rule group makes a new group that contains no rules.

Editing a firewall rule group’s basic info

Creating a new firewall rule

. Click Add Firewall Rule.

. On the Rules tab of Rule group details, click Save.

. On the Rules tab of Rule group details, click Save.

Firewall rule dialog fields

Select None if you’re creating a rule for ports only.

IPv4: Define using one of these formats:

Commas and hyphens (limited to 1,000 identified addresses)

Examples of acceptable address ranges:

Example of a range that would be rejected:

Single port value: Define with an integer from 1 to 65535.

Ranges of port numbers: Define using a hyphen. For example, 3000-4000.

Action: Select an option:

Allowed: Defined network connections are permitted

Blocked: Defined network connections are denied

Direction: Select an option:

Protocol: Define network protocol(s). You can select multiple options:

-IPv4: Protocol field

-IPv6: Next Header field

Executable Filepath (optional):

A drive letter such as C: or D:

One of the two special names:

%SystemRoot% usually means C:\windows

%SystemDrive% usually means C:

This field does not support wildcards.

This field does not support ping.exe

CONFIGURING FIREWALL RULES FOR DOMAIN CONTROLLER

Firewall Rule ID and versions

Firewall rules precedence

. Click Edit precedence to activate the UP/DOWN arrow controls.

. Use the arrows to change the precedence order of your rules.

. Click Save to keep your changes.