Falcon Firewall Management

Last updated: Mar. 12, 2023

Contents:
Overview
Before you begin
Requirements

Understand Falcon Firewall Management

Implementation overview
Manage your firewall rules and rule groups
View your firewall rule groups and rules
Create a firewall rule group
Editing a firewall rule group’s basic info
Create a firewall rule
Edit a rule
Firewall rule dialog fields
Custom network locations for Falcon Firewall Management rules
Configure a custom rule
Add a custom network location to a rule
Firewall Rule ID and versions
Firewall rules precedence
Enable or disable firewall rule groups and rules
Delete firewall rule groups and rules
Viewing a firewall rule group’s assigned firewall policies
Troubleshoot rule enforcement for macOS endpoints
Audit changes to firewall rules and rule groups

Manage your firewall policies

About Falcon policies
View your firewall policies
Create a firewall policy
Assign firewall rule groups to a firewall policy
Edit firewall rule group precedence in a firewall policy
Remove a firewall rule group from a firewall policy
Configure firewall policy settings
Confirm an updated firewall policy or rule for macOS
Firewall Default Policy
Editing firewall policy precedence
Review the order firewall rules are applied in a firewall policy
Assign firewall policies
Enable or disable a firewall policy
Delete a firewall policy

View Firewall Events

Check compliance
Network Auditing in Windows
Confirm firewall policies on a macOS endpoint
Support for advanced protocols on macOS hosts
CrowdStrike Core Windows Networking Firewall Rules

Overview
Centrally manage the firewalls on your Windows and macOS hosts from Falcon console using Falcon Firewall Management, based on the Windows Filtering Platform
or CrowdStrike platform (for macOS). Secure your hosts from network threats by allowing or blocking network traffic in accordance with your organization’s policies.
Before you begin
Firewall policies are enforced on hosts by using host groups. For info about creating host groups, see Host and Host Group Management.

Requirements
Subscription: Falcon Firewall Management

Sensor Support:

Windows

Falcon sensor for Windows version 6.33 and later. Sensor version 6.42 or later is required for wildcard support.

Note: If a Falcon firewall policy is applied to a host running an earlier sensor version, the host will have a firewall policy state of pending changes until it
updates to a sensor that supports Falcon firewall management.
macOS

Requires macOS Sensor version 6.33 or later. Sensor version 6.41 or later is required for wildcard support.

Note: The beta version of firewall management is available on sensors 6.31 and 6.32. However rule enforcement issues might occur. We
recommend updating to version 6.33 or later. If a Falcon firewall policy is applied to a host with an earlier sensor version, the host shows a firewall
policy state of Pending Changes until it updates to a sensor that supports Falcon firewall management.

macOS support: Big Sur 11.4 and later

Support for Advanced Protocols: For info, see Support for Advanced Protocols

ICMP connections: To block incoming ICMP connections, enable stealth mode in macOS System Preferences

Roles:

Firewall Manager: Create and edit firewall rules, assign firewall rule groups to firewall policies, and assign firewall policies to host groups.

Note: The Firewall Manager role doesn’t include the ability to create and edit host groups themselves. The Falcon Administrator role is required for host
group management.

These roles can view firewall rules, rule groups, policies, and audit logs:

Falcon Administrator

Falcon Analyst

Falcon Analyst - Read Only

Falcon Investigator

Falcon Security Lead

Understand Falcon Firewall Management

With Falcon Firewall Management, create firewall rules, rule groups, and polices to precisely define what network traffic is allowed and blocked. When enforced,
Falcon’s firewall policies override the firewall settings on each assigned host.

Rules: Individual firewall rules define precise network traffic that is allowed or blocked and whether you want to see associated events in the console.

Rule groups: Use firewall rule groups to organize firewall rules. You can start with an empty group and build it out, or start with a CrowdStrike preset rule group, a
collection of core rules that you can edit for your needs. You can also start a new rule group by copying one of your own groups to edit as needed. Rules are enforced
in the precedence order you define in their rule group.

Policies: Use policies to enforce firewall rules. You assign rule groups to a policy and then configure the policy to allow or block any remaining network traffic that is
not defined by the rules in its rule groups.

Rule groups can be assigned to multiple firewall policies.

Firewall rule groups are enforced in the precedence order you define within a policy.

Firewall policies work like other Falcon policies:

 They are applied to individual hosts through host groups.

Policy precedence handles situations where a host is assigned to more than one policy.

To affect assigned host groups, they must be enabled.

Implementation overview
Implementing a set of Falcon firewall rules and policy to secure your hosts from network threats involves these key steps:

Plan and prepare

Map your organization’s firewall requirements to Falcon Firewall Management rules.

Determine the network traffic you need to allow, block, and review.

Decide how you want to organize your rule groups.

Make sure you have host groups that are aligned with how you need to apply firewall policies.

Create firewall rule groups and rules

Create firewall rule groups to logically group firewall rules

Define the traffic you will allow and block in your firewall rules

Enable your rules and rule groups

Create firewall policies

Create your firewall policies

Assign firewall rule groups

Configure policy settings

Assign host groups and enable firewall policies

Assign firewall policies to test host groups

Enable the firewall policy

Test and Troubleshoot

We recommend you always test new firewall rules on a small set of test hosts, such as in a lab or QA environment, and start simple with a single rule group and policy.
Be as specific as possible about the network traffic you allow, and block everything else. Test and troubleshoot to confirm the desired behavior before building out the
policy or applying it to a production environment.

Falcon provides two options to report firewall events in Endpoint security > Firewall > Activity during testing:

At the individual rule level, turn on Watch mode to report all matching traffic.

At the policy level, temporarily turn on Monitor mode to allow traffic that would normally be blocked by the policy and report all associated events.

Rollout/Go Live
Build out your firewall rule groups, rules, and policies.

Assign policies to host groups.

Enable the policies.

Important: Improper implementation of firewall rules can cause a major issue that requires manual remediation. Always be aware of the potential impact Firewall rules
might have on your environment.
CrowdStrike has certain safeguards in place to reduce the risk:

Protecting key connections between the Falcon sensor and cloud

Protecting not blocking loopback connections

Including core rules in every firewall policy

Manage your firewall rules and rule groups

View your firewall rule groups and rules

Go to Endpoint security > Firewall > Rule groups to see your firewall rule groups. On this page, you can filter the rule groups you see in the list. Click any rule group to
expand a quick view list of its firewall rules.

Click an Edit rule group icon to go to that rule group’s Rule group details.

Rule group details opens to a view of the Rules tab. Use the icons on the top right of the table for Table export options and Toggle table options to customize the
columns you see.

In the Actions column, click an Edit rule icon to see and edit an individual firewall rule.
Create a firewall rule group
To begin setting up your organization’s firewall in Falcon console, create a rule group.

1. Go to Endpoint security > Firewall > Rule groups.

2. Click Create rule group.

3. Enter a group name and description in the New rule group details dialog. Click Next.

4. Select the platform.

5. There are three options to start a new firewall rule group. Start from scratch or modify an existing rule group. Select an option and click Create Rule Group.

Empty rule group: Makes a new group that contains no rules

Rule group you’ve created: Copies an existing firewall rule group and its firewall rules

CrowdStrike preset rule group: Makes a rule group with our collection of core networking firewall rules
 6. Your firewall rule group is created, and you see the Rules tab of its Rule group details.

7. Next: Create new firewall rules or Edit the rules in the group.

Editing a firewall rule group’s basic info

You can edit the name and description of a rule group at any time.

1. Go to the Endpoint security > Firewall > Rule groups page and click the Edit rule group icon for the rule group you want to edit.

2. Select the tab for the rule group’s platform.

3. Click the Edit rule group icon for the rule group you want to edit.

4. On the Rules tab of the Rule group details, click Edit rule group.

5. Make your changes in the Edit rule group dialog and click Save.

screenshot of the edit rule group dialog where you can change the name and description of the group

Create a firewall rule

The details of firewall settings are defined in individual rules, created within rule groups. To add a rule:

1. Go to the Endpoint security > Firewall > Rule groups page.

2. Select the tab for the rule group’s platform.

3. Click the Edit rule group icon for the rule group where you’ll add the new rule.

4. On the Rules tab of the Rule group details, click Create new rule.

5. In the Add new firewall rule dialog, define the rule in the firewall rule dialog fields.
 6. To configure a rule for executables with dynamic file paths, include a wildcard in the Executable Filepath field. To confirm that the wildcard works as
expected, enter a URL in the Test String field.

7. Click Add Firewall Rule.

8. On the Rules tab of Rule group details, click Save.

Edit a rule
You can edit all existing firewall rule parameters. Review firewall rule versions and rule IDs for information about what changes when edits are made.

1. Go to the Endpoint security > Firewall > Rule groups page and click the Edit rule group icon for the rule group where you’ll add your new rule.

2. On the Rules tab of the Rule group details card, click an Edit rule icon in the Actions column to see and edit an individual firewall rule.

3. Make your changes in the firewall rule dialog fields and click Edit Firewall Rule.
 4. On the Rules tab of Rule group details, click Save.

Firewall rule dialog fields

Name: Give this Firewall rule a name that is recognizable when viewing rules in Firewall Rule Groups and Firewall Policies.

Description (optional): Enter information such as the rule’s purpose.

Platform: Windows and macOS

Address Family: Your selection determines how address formats you enter in the Local Address and Remote Address fields are parsed and validated.

If you are creating a rule that defines addresses, select the family address you’re using:

IPv4

IPv6

Select None if you’re creating a rule for ports only.

Local Address and Remote Address: Enter the local IP addresses and remote IP addresses the rule will match, if any. Related Firewall Events report the exact address
involved in the connection that matches the rule. The Local Address and Remote Address fields support the same values:

Important: every address defined in these fields must be either IPv4 OR IPv6, matching the protocol selected in Address Family for this rule.

IPv4: Define using one of these formats:

 A single IP address

Commas and hyphens

Semicolons can be used to separate individual IP addresses and ranges (limited to 1,000 identified addresses)

CIDR notation with a network prefix as a single integer from 1-32, inclusive

IPv6: Define a single IP address or use CIDR notation to define an address range. Single integers from 1-128, inclusive

Examples of acceptable address ranges:

192.168.0.0/8

10.0.0,1,3-7.-

fe80::a8bb:ccff:fedd:eeff

1022::beef:168:aa30:a09/120,

5aef:2b::8/112

::1

Example of a range that would be rejected:

192.168.1-254.1-254

Local Port and Remote Port: Enter the local ports and remote ports the rule will match, if any. Format the Local Port and Remote Port fields using these supported
parameters:

Single port value: Define with an integer from 1 to 65535.

Ranges of port numbers: Define using a hyphen. For example, 3000-4000.

Combinations of single values and ranges in a single rule: Define using an array. For example, 22, 80-88.

Action: Select an option:

Allowed: Defined network connections are permitted

Blocked: Defined network connections are denied

Direction: Select an option:

Inbound: Rule will apply to network traffic from the Remote Address/Port to the Local Address/Port.

Outbound: Rule will apply to network traffic from the Local Address/Port to the Remote Address/Port.

Inbound and outbound: Rule will apply to all network traffic between the Remote Address/Port and the Local Address/Port.

Protocol: Define network protocols. You can select multiple options:

Any

TCP

UDP

ICMPv4

ICMPv6

Note: macOS doesn't have visibility into and cannot block SSH connections.

Advanced

When you select Advanced, the Protocol Number field is made available so you can enter the next level protocol, also known as the transport layer protocol:

-IPv4: Protocol field

-IPv6: Next Header field

See the Internet Assigned Numbers Authority's (IANA) official list of protocols: iana.org
Watch Mode: Select this option to see the events associated with this rule in Endpoint security > Firewall > Activity. You might want to use this setting for
troubleshooting, testing a newly added firewall rule, or monitoring a critical firewall rule.

Note: Turn on watch mode to report events associated with the rule. When watch mode is enabled, one event per hour is viewable for the rule.
Network Profile: Specify the Windows network location profiles where this firewall rule should be applied:

Any

Domain

Private

Public

Executable Filepath (optional):

Use this field to create a process-specific firewall rule. For example, this can be useful if you need to allow a program in a certain folder access to a port that is blocked
to all other traffic by another firewall rule. When this field is blank the rule is applied for all processes. Your input must adhere to the following guidelines.

For static file paths:

It must include a drive letter such as C: or D:

One of the two special names:

%SystemRoot% usually means C:\windows

%SystemDrive% usually means C:

This field does not support ping.exe

The value can also be a fully specified UNC path for network locations, such as: \\server\share\file\to\path.exe

Note: If the sensor can’t resolve the drive letter entered in this field when the rule is enforced, it reports a FirewallRuleApplicationFailed event in Endpoint
security > Firewall > Activity.

For dynamic file paths:

Include glob syntax to create a wildcard rule for a dynamic file path. For more info, see glob syntax.

Dynamic file /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome

path Helper.app/Contents/MacOS/Google Chrome Helper

Static file /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/103.0.5060.53/Helpers/Google

path Chrome Helper.app/Contents/MacOS/Google Chrome Helper

Note: Enclose individual bracket characters ( [ or ] ) in the input field inside of additional square brackets.

Test String (optional):

This case sensitive field appears when the system detects glob syntax in the Executable Filepath field. To confirm that the wildcard works as expected, enter sample
URLs.

Service Name (optional): Enter a specific service name for the rule to match. This is converted to a Service SID, which Windows Filtering Platform can match. When
this field is blank the rule is applied for all services.

Configure firewall rules for domain controller

See Microsoft’s documentation for more information about defining rules for domain controllers.

Custom network locations for Falcon Firewall Management rules

Falcon Firewall Management enables you to configure custom network locations for firewall rules in the Falcon Console. The sensor uses these network location
definitions to automatically determine which location to activate and enforces the firewall rules associated with that location.
 Note: Custom network locations are currently only available for macOS.

You can configure multiple criteria per network location and link them to Firewall rules. There are five passive criteria that can instantly detect changes to endpoint
and/or network configuration.

Criteria

Connection type & Checks for wired or wireless connection and optionally determines if a wireless connection is encrypted and/or identified by a known
SSID SSID.

Gateway IP address Checks the IP address of the host’s network gateway.

DHCP server address Checks the IP address of the host’s DHCP server.

DNS server address Checks the IP address of the host’s DNS servers.

Host IP address Checks the IP address assigned to the host.

There are three active criteria available that cause the Falcon Sensor to probe your network for certain conditions. These probes are triggered whenever the Falcon
Sensor detects changes in the network configuration or at regular polling intervals set by you. The polling interval you choose for each active criteria is applied across
all network locations for that criteria. For example, all network locations in your CID that use a DNS resolution test will use the same polling interval.

Note: These criteria detect changes asynchronously, and there may be a noticeable delay in evaluating a new location.

Criteria

Ping test Tests domain names or IP addresses for response to a ping request.

DNS
Tests whether the domain names can be resolved by the host. Optionally, you can provide the IP addresses you expect.
resolution test

Tests whether the domain names can be reached using HTTPS. Optionally, specify a port using the standard notation as defined in RFC 2396,
HTTPS
such as internal-service.company.com:8000 . The server must be using a valid SSL certificate trusted on the host. Untrusted self-
certificate test
signed certificates are rejected.
We recommend you use the active criteria sparingly or consider lengthening the time between polling to prevent excessive system load. Also, keep in mind that Ping,
DNS resolution, and HTTPS certificate tests are asynchronous and won’t detect changes instantly.

For example, you may want to create a network location to detect whether the host is on the company VPN to allow access to various resources on the company
network. If you have a DNS server located at an IP address of 123.1.1.2 that is assigned to the host only when it is on the VPN, you can create a network location
and add a criteria for that DNS server address. Then that network location becomes active when the host is on the VPN. Then you can add that network location to a
Firewall rule that only activates when the VPN is connected. This approach provides instant detection of location changes and creates less load on your network.

Alternatively, if you have an internal domain that is only reachable via VPN and has an HTTPS certificate signed by a trusted Certificate Authority (CA), such as
intranet.company.local , you can create a network location using the HTTPS certificate criteria. That network location becomes active when

intranet.company.local is reachable through the VPN and has an HTTPS certificate signed by a trusted CA. You can then add that network location to a

Firewall rule that only activates when the VPN is connected and intranet.company.local is reachable with a valid SSL certificate. While this approach provides
stronger security against potential spoofing, it creates more load on your network and may not apply instantly because it is asynchronous.

When more than one network location is detected, the one with the highest precedence is activated. To reorder them, click Edit precedence then drag and drop them
directly in the list.

Configure a custom rule

Follow these steps to configure a custom firewall rule for macOS.

1. In the console, navigate to Endpoint security > Firewall > Network locations.

2. Click Create network location.

3. Enter a location name and description.

4. Click Create location.

5. In the network location builder, click to select the criteria to use.

If you select Connection type & SSID, you can choose wireless or ethernet. When you select wireless, you’ll have the additional option of limiting the
criteria to encrypted networks and/or SSIDs.

Note: SSIDs are easily spoofed and are therefore a less secure option.

For Gateway IP address, DHCP server address, DNS server address, or Host IP address criteria, enter the network addresses (IPv4, IPv6, or CIDR
block) to use.

When you select the DNS resolution test, you’ll be prompted to enter a domain name and set the polling interval. Optionally, you can configure the IP
addresses to expect.
 Note: If the resolved IP addresses do not match any of the expected IP addresses you provided, the criteria will fail even if the domain name can be
resolved.

For the HTTPS certificate test criteria, you’ll be prompted to enter a domain name and set the polling interval. You can also set a TCP port, such as
company.com:8000.

To configure the Ping test criteria, enter the domain names or IP addresses to target with an ICMP request and set the polling interval.

Note: This criteria uses ICMP protocol.

6. After you’ve configured your network locations, click Save.

7. To enable this location, select Enable location from the Action dropdown menu.
Your custom locations are available in the Create a rule group modal.

To duplicate or delete a custom network location, go to Endpoint security > Firewall > Network locations. Then click to open the location and select Duplicate
location or Delete location from the Action dropdown menu.

Add a custom network location to a rule

Once created, you can add the custom network location to new and existing rule groups. You can add multiple locations to a single firewall rule. Go to the Endpoint
security > Firewall > Rule groups page. Then follow the steps to Create a firewall rule or Edit a rule.

Note: Custom network locations are currently only available for macOS.

Firewall Rule ID and versions

When new firewall rules are created, they are automatically assigned a unique Rule ID and Version. These attributes are both available on the Rules tab of the Rule
group details and in the details of all firewall events shown in Endpoint security > Firewall > Activity.

A firewall rule’s Rule ID always stays the same. When rules are copied, the copies of the rules each get their own unique Rule ID.

A rule’s Version number changes each time it’s edited. This makes it possible to distinguish firewall events from different versions of the same rule. From the details
panel of any firewall event, click the Rule Name or Rule Version to go to the parameters defined in the specific version of the rule that triggered the event.

Firewall rules precedence

Firewall rules are processed according to precedence (sequential order) within their rule groups, so it is important to consider this when configuring a group. For
example, strict rules should have a higher precedence than generic rules. You can reorder rules on the Rules tab of a Rule group details page.

1. Go to Endpoint security > Firewall > Rule groups, click the edit icon for a rule group.
 2. Click Edit precedence to activate the UP/DOWN arrow controls.

3. Use the arrows to change the precedence order of your rules.

4. Click Save.

Enable or disable firewall rule groups and rules

Like policies, rule groups and the rules within them must be enabled for them to take effect on hosts.

Rule group
Enable or disable a rule group from the Rules tab of a Rule Group Details page. Go to Endpoint security > Firewall > Rule groups and click the edit icon for a rule
group. The options to Enable/Disable the rule group is in the upper right corner.

Rule
Enable or disable an individual rule from the Rules tab of a Rule group details page.

1. Go to Endpoint security > Firewall > Rule groups land click the edit icon for a rule group.

2. Select a rule or rules to activate the options.

3. Click the option to Enable or Disable above the table.

4. On the Rules tab of Rule group details, click Save.

Delete firewall rule groups and rules

Rule group
Delete a firewall rule group you no longer need from its Rules tab of a Rule group details page (Endpoint security > Firewall > Rule groups and click the edit icon for a
rule group). The option to Delete the rule group is in the upper right corner.

Rule
Delete firewall rules you no longer need from the Rules tab of a Rule group details page (Endpoint security > Firewall > Rule groups and click the edit icon for a rule
group).

1. Select a rule or rules to activate the options.

2. Click the option to Delete on the upper left.

3. In the dialog, click Delete Rules on Save to confirm.

4. On the Rules tab of Rule group details, click Save.

Viewing a firewall rule group’s assigned firewall policies

Firewall rule groups take effect on hosts through their assigned firewall policies, as configured in Firewall Policies. You can see which policies each rule group is
assigned to in its Rule group details.

Go to the Endpoint security > Firewall > Rule groups page and click the Edit rule group icon for the rule group you want to see. Click the Firewall Policies tab to view
the firewall policies the rule group is in, and click Go to policies to go to the Firewall Policies page.

See Assigning firewall rule groups to a firewall policy for more information.

Troubleshoot rule enforcement for macOS endpoints

If, after you’ve completed configuration and testing, your firewall rules aren’t enforced as you expected, confirm the following requirements and settings:

macOS version is Big Sur 11.4 or later

sensor version 6.33 or later is loaded and running

macOS sensor version 6.41 or later is loaded and running for wildcard support

Windows sensor version 6.42 or later is loaded and running for wildcard support

the sensor received an updated channel file

Enforce policy is enabled at the policy level

Monitor mode is disabled

Audit changes to firewall rules and rule groups

CrowdStrike automatically audits all changes to firewall rules and rule groups. There are two types of audit logs available to view changes to your firewall rules:

Log contents Where to access

Full revision history of every firewall rule and rule group In the top right corner of the Firewall rule groups page, click See audit log

Revision history of firewall rules within a specific rule group Go to the firewall rule group’s Rule group details page and click the Audit Log tab
Sort columns to group your view of the log. Logged revisions are defined in the Action column as Created, Updated, or Deleted.

Click any revision to see its Details panel:

For updates to rule groups, the revision’s details include whether it was enabled or disabled.

When individual rules have been updated, see the detailed changes that were made.

Manage your firewall policies

Use firewall policies to apply the rules in your firewall rule groups to your hosts. You can have a total of 100 firewall policies, including the Default Policy.

About Falcon policies

A policy is a collection of settings. Falcon includes many types of policies for specific purposes: prevention policies, sensor update policies, and more. All policies work
the same way:

1. Create the policy and configure its settings

2. Assign the policy to one or more host groups

3. Falcon applies the policy settings to each host based on its host group membership and policy precedence

If a host doesn't belong to any host groups assigned to a policy, it automatically uses the settings defined in the default policy.

View your firewall policies

Go to Endpoint security > Firewall > Policies to see your firewall policies. Click any policy to expand a quick view list of host groups assigned to it.

Click an Edit Policy icon on the right to see details and edit an individual policy.
Policy details are configured and displayed on four tabs:

Settings: Where to define whether and how the policy is applied to assigned host groups.

Assigned Host Groups: Where to define which host groups will use the settings of the policy if it is enforced.

Assigned Rule Groups: Where to assign the firewall rule groups to the policy, and the order in which they are enforced.

Rules Summary: All of the individual firewall rules in the policy’s assigned firewall rule groups shown in the order in which they are enforced.

Create a firewall policy

Create your organization’s firewall policies to enforce your firewall rules on host groups.

1. Go to Endpoint security > Firewall > Policies and click Create new policy.

2. In the Create Policy Details dialog, give your policy a name and description. Click Next to continue.

3. There are two options to start a new firewall policy. Start from scratch or modify an existing policy.
 Empty Policy makes a new policy that contains no rule groups.

Existing Policy copies one of your firewall policies with all of its assigned rule groups (but not host groups). Select one of your policies and click Create
Policy.

4. Your firewall policy is created, and you see the Settings tab of its Policy details.

5. Next: Assign rule groups to the policy.

Assign firewall rule groups to a firewall policy

Add firewall rule groups to your organization’s firewall policies so you can enforce your firewall rules on host groups.

1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for the policy you want to assign rules groups to.

2. Go to the firewall policy’s Assigned rule groups tab, and click Assign rule groups.

3. In the Assign firewall rule group dialog, select rule groups, and click Assign to Policy.

4. Your selections are added to the list of Assigned rule groups in the position of lowest precedence.

5. Next: Edit firewall rule group precedence.

Note: Assigning a rule group to a policy does not change the rule group’s enabled or disabled status. Quickly get to a rule group’s details by clicking the
Edit icon in the Actions column to enable or disable it.

Edit firewall rule group precedence in a firewall policy

Firewall rule groups are processed according to precedence within the firewall policies they’re assigned to, so it’s important to consider this when configuring a policy.
For example, rule groups with strict rules should have a higher precedence than more generic rule groups.

Reorder rule group precedence on a policy’s Assigned rule groups tab.

1. Go to Endpoint security > Firewall > Policies, click the edit icon for a policy.

2. Click Edit precedence to activate the UP/DOWN arrow controls.

3. Use the arrows to change the precedence order of your rules.

4. Click Save to keep your changes.

Remove a firewall rule group from a firewall policy

You can remove firewall rule groups from firewall policies. This does not delete the firewall rule group or the rules with it.

1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for the policy. you want to assign rules groups to.

2. Go to the firewall policy’s Assigned rule groups tab.

3. Click the option to Remove in the Actions column.

Configure firewall policy settings

Use the Settings tab of an individual firewall policy to configure whether and how the policy is applied. Go to Endpoint security > Firewall > Policies and click the Edit
Policy icon for a policy.

Firewall policy enforcement and monitoring

Enforce Policy: Turn on this setting to apply the policy’s rules on the hosts in the assigned host groups. This disables the hosts’ OS firewall rules and
overrides the firewall settings.

Windows

This disables the Windows hosts’ OS firewall rules. Falcon’s firewall rules take full precedence over the individual hosts in the assigned host groups
existing Windows firewall settings. Any Windows firewall settings, such as those created using Windows group policies, remain on the system but do
not function.

macOS

When the CrowdStrike Firewall is enforced on macOS hosts, it doesn’t override the OS firewall but works alongside it. As a result both firewalls can be
active simultaneously. Both firewalls must be configured to allow for given traffic in order for it to flow. The OS firewall takes action first, so if the OS
firewall blocks a piece of network traffic first, the Falcon Firewall won’t have visibility.

For example, if the macOS firewall is configured to allow, and the CrowdStrike Firewall is configured to block, the block occurs. If the macOS firewall is
configured to block, and the CrowdStrike Firewall is configured to allow, the connection is blocked.
 Monitor Mode: Temporarily turn on this setting to allow traffic that would normally be blocked by the policy and report all associated events in Endpoint
security > Firewall > Activity, where the Action taken for these events is labeled Would be blocked.

Note: During testing, if the noise is too high, or you need to determine whether the firewall events you’re seeing are from a firewall rule or default
traffic rule: temporarily set the default traffic rules to Allow All. Remember to switch them back to the desired setting when you finish testing and
disable Monitor Mode.

Local Logging (Windows and macOS): Turn on this setting to record all traffic that matches rules assigned to this policy. When enabled, it creates a CSV file
with the base name hbfw.log on the host at %SystemRoot%\System32\Drivers\CrowdStrike\ for Windows and
/Library/Application Support/CrowdStrike/Falcon/ for macOS. Each CSV file is limited to 5 MB. Up to the 5 most recent CSV files are stored
on the host.

The CSV file contains the following information for each record:

Time stamp (UTC)

Rule Version

Action

Direction

Local Address

Local Port

Remote Address

Remote Port

Profile (unknown for macOS)

Image File Name

UPID

PID

User Name (unknown for macOS)

Confirm an updated firewall policy or rule for macOS

To confirm a macOS endpoint received an updated firewall policy or rule, run one of the following commands in the terminal:

1. sudo /Applications/Falcon.app/Contents/Resources/falconctl stats hbfw

Check the rule_count value. By default, this value is greater than 0 which includes 25 core rules and the default traffic rules at the policy level (inbound
and outbound). If the value displayed increases or decreases, it indicates that a rule was added/enabled or removed/disabled.

2. sudo /Applications/Falcon.app/Contents/Resources/falconctl stats dynamic_settings | grep hbfw

This value is the current firewall channel file version for the sensor. When this value changes, this indicates that the latest policy and rule settings are
present on the endpoint.

Default traffic rules

Configure default rules to Allow All or Block All inbound or outbound traffic that is not otherwise specified by the policy’s assigned firewall rules.

CrowdStrike recommends setting your default rule for inbound traffic to Block All.

Firewall Default Policy

Policy precedence allows you to configure your Firewall policies so that when a policy is disabled, host groups adopt the next highest ranking enabled policy they’re
assigned to. The default policy is the last policy in the order of precedence. It’s applied to all hosts that aren’t assigned to another enabled policy. As an added
safeguard, the Falcon Firewall Management’s Default Policy is configured to be unenforceable. This guarantees that any hosts that aren't assigned to one of your
Firewall policies won’t block any traffic.
You can also create your own conservative policy for your hosts that aren’t assigned to another enabled firewall policy. To have this firewall policy take effect on your
unassigned hosts instead of the updated default, enable the policy, position it in the last place of policy precedence before the Default Policy, and assign all of your
host groups to it.

Editing firewall policy precedence

Like other falcon policies, firewall policies are processed according to precedence on the hosts they’re assigned to, so it’s important to consider this when configuring
your organization’s firewall policies.

Policy precedence lets you configure your Firewall policies so that when a policy is disabled, host groups adopt the next highest ranking enabled policy they’re
assigned to.

Reorder policy precedence on the Firewall Policies page.

1. Go to Endpoint security > Firewall > Policies.

2. Click Edit precedence to activate the UP/DOWN arrow controls.

3. Use the arrows to change the precedence order of your rules.

4. Click Save to keep your changes.

Policy precedence determines which policy's settings are applied to a host when the host is a member of more than one policy. Define policies with different
precedences to resolve conflicts. Then, when faced with a conflict, the cloud automatically applies the policy with the higher precedence (1 being higher than 2, which
is higher than 3, and so on).

On a host, the policy with the highest ranking precedence (1 being highest) is applied and active. If something changes with that highest-ranking policy, for example if
it gets disabled, then the next highest-ranking policy gets applied and becomes active.

Each host can belong to one or more host groups. Host groups can be assigned one or more policies. With dynamic groups, a newly-installed sensor inherits the
relevant groups and applies the policy with highest precedence to the host. This provides the host with its initial policy settings.

If a host is not a part of any groups, or the groups it belongs to have no policies assigned, it is automatically assigned to the default policy.

Review the order firewall rules are applied in a firewall policy

Because firewall rules are processed in precedence order within their rule group, and rule groups are processed in precedence order within a policy, it can be hard to
visualize the order in which all the rules will be processed in a policy, keep track of which rules are enabled and disabled, or quickly update the rules. Because of this,
Falcon provides a list of firewall rules in each policy. This listing does not include the core networking firewall rules. This summary shows them in the order they’re
processed and provides Edit rule icons to easily make changes:

1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy.

2. Go to the Rules Summary tab.

Assign firewall policies

Assign host groups to a host group. The hosts assigned to a firewall policy are shown on the policy’s Assigned host groups tab and in its expanded row view on the
main firewall policies page.

To assign a host group within Firewall Policies:

1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy.

2. Go to the Assigned host groups tab.

 3. Click Add groups to policy in the upper-right.

4. In the Add Groups to Policy dialog, select one or more host groups.

5. Click Add Groups to Policy.

6. Your host group selections are assigned to the policy.

Enable or disable a firewall policy

A firewall policy must be enabled through the policy’s Settings tab, and enforced for the Falcon firewall rules to take effect on hosts. When an enforced firewall policy
is enabled from Falcon console, Falcon’s firewall rules take precedence over the existing Windows firewall settings for individual host’s in the assigned host group.
MacOS and Falcon firewall settings are enforced concurrently.

When a firewall policy is disabled, hosts adopt the settings and rules from the next firewall policy they are assigned to according to precedence. If a host doesn't
belong to any host groups assigned to a firewall policy, it automatically uses the settings defined in the default firewall policy.

When a host group is no longer assigned to any firewall policies that are both enforced and enabled, the Falcon Firewall is removed from its hosts. When a Windows
host stops receiving firewall policy from Falcon, it reverts back to its Windows firewall settings. Since macOS firewall settings are enforced concurrently with the
Falcon firewall, when you remove the Falcon firewall, the macOS firewall settings remain active.

Note: Admins can modify the Windows firewall on hosts while Falcon is managing the firewall, but the changes don’t take effect unless the host stops
receiving firewall policy from Falcon.
To enable or disable a policy:

Windows

1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy

2. On the Settings tab of the Policy Details page, click Enable/Disable.

macOS

CrowdStrike recommends following the same steps given above to manage macOS firewall settings from the Falcon console. However, in the event of an emergency
or for troubleshooting you can disable and enable the firewall and event monitoring by running these commands in the terminal:

To disable: sudo /Applications/Falcon.app/Contents/Resources/falconctl disable-filter

To enable: sudo /Applications/Falcon.app/Contents/Resources/falconctl enable-filter

Delete a firewall policy

Permanently remove a firewall policy by deleting it. You must disable the policy before you can delete it.

1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy

2. On the Settings tab, click Delete.

Note: The Windows or macOS firewall settings show the settings that the host would revert to if Falcon firewall policy was removed. Admins can modify
the Windows or macOS firewall on hosts while Falcon is managing the firewall, but the changes don’t take effect unless the host stops receiving firewall
policy from Falcon.

View Firewall Events

Go to Endpoint security > Firewall > Activity to see events associated with firewall rule and policy matches. Click any firewall event’s row to expand its details.
When a policy is in Monitor mode, Falcon records events associated with traffic that matches your firewall rules that have Watch mode enabled. It also records traffic
that matches the policy’s Default traffic rules and the assigned firewall rules that would be blocked if Monitor mode was turned off. The Action taken for these events
is labeled Would be blocked.

Click any firewall event’s row to expand its details.

Check compliance
Windows

If your organization requires a compliance check performed by applications like VPN software, we provide a registry key called EnforcementLevel located under
HKLM\Software\CrowdStrike\FWPolicy. A value of 1 indicates that the firewall is enabled and enforced.

macOS

If your organization requires a compliance check performed by applications like VPN software run sudo
/Applications/Falcon.app/Contents/Resources/falconctl stats hbfw . If the values for data, packet, and rule_count are more than 0 (zero), this
confirms that the firewall is enabled and enforced.

Network Auditing in Windows

While using Falcon Firewall Management, you can enable Windows Filtering Platform’s auditing of firewall-related events on a host to view them in the Windows
Security Log for that host.

To enable this reporting, run:

auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

See Windows documentation for more information.

Confirm firewall policies on a macOS endpoint

To confirm that CrowdStrike’s macOS firewall policies are enforced on an endpoint, run the following command in the terminal:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats hbfw

In the output, locate ===hbfw=== and look for these three values:

data

packet

rule_count

If these values are all 0 (zero), then this means that the firewall is not enabled and not enforced.

Example: Results for a disabled firewall

=== hbfw ===

data: 0

log: 0

packet: 0

rule_count: 0

Example: Results for an enabled firewall

=== hbfw ===

data: 27

log: 0

packet: 2
rule_count: 27

You can also use these value outputs to check for compliance.

Support for advanced protocols on macOS hosts

The API on macOS (packet provider) that supports firewall functionality for advanced protocols is disabled by default because, in a small number of instances, it
might cause a macOS host to disconnect from the network when combined with VPN and external network interfaces active on that host.

This issue won’t affect most, if any, of your hosts. When advanced protocols are used, CrowdStrike recommends you enable and test the packet provider before
deploying. After the packet provider is enabled, the sensor doesn’t need to be reloaded and a new firewall policy isn’t required. Rules in the deployed policy with an
advanced protocol are immediately enforced.

To enable the Falcon packet provider, run sudo /Applications/Falcon.app/Contents/Resources/falconctl enable-packet-provider

CrowdStrike Core Windows Networking Firewall Rules

These rules are automatically enabled on every firewall policy, and are processed before all other rules. There is also an option available to copy these rules when
starting a new rule group. These core rules are periodically edited and new ones are periodically added. To see the most up-to-date list, create a new rule group using
the CrowdStrike preset rule group option.

Traffic Action Event Local Local Remote Remote

Status Rule name Description Protocol Executable filep
direction to take frequency IP port address port

Allow ICMPv6
type 135 In
ICMPv6
and Out to
Enabled Neighbor Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Solicitation
System
process

Allow ICMPv6
echo reply
Receive ICMP
Enabled Inbound to In Allowed 0 / 0ms ICMPv6 * * System
ping reply
the System
process

Allow ICMPv6
ICMPv6 type 130 In
Multicast and Out to
Enabled Both Allowed 0 / 0ms ICMPv6 * * System
Listener and from the
Query System
process

Allow IGMP
(Internet
Group
Internet Group
Management)
Enabled Management Both Allowed 0 / 0ms 2 * * System
In and Out to
(IGMP)
and from the
System
process
 Traffic Action Event Local Local Remote Remote
Status Rule name Description Protocol Executable filep
direction to take frequency IP port address port

Allow ICMPv6
ICMPv6 type 131 In
Multicast and Out to
Enabled Both Allowed 0 / 0ms ICMPv6 * * System
Listener and from the
Report System
process

Allow DHCP
In and Out to
Enabled DHCP on IPv4 Both Allowed 0 / 0ms UDP * 68 * 67 %SystemRoot%\
and from the
Dhcp service

Allow TCP
Out from the
Microsoft DS Group Policy
Enabled Out Allowed 0 / 0ms TCP * * %SystemRoot%\
Group Policy service when
on the
Domain

Allow DNS
Out from the
Enabled DNS request Out Allowed 0 / 0ms UDP * * 53 %SystemRoot%\
Dnscache
service

Allow UDP
Out from the
Network Time
Enabled W32Time Out Allowed 0 / 0ms UDP * * 123 %SystemRoot%\
Protocol
service to
NTP port

Allow TCP
from the
System
Microsoft DS
process to DS
Enabled Network Out Allowed 0 / 0ms TCP * * 445 System
network
Sharing
share port
when on the
Domain

Allow ICMPv6
ICMPv6
type 143 In
Multicast
and Out to
Enabled Listener Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Report version
System
2
process
 Traffic Action Event Local Local Remote Remote
Status Rule name Description Protocol Executable filep
direction to take frequency IP port address port

Allow
DHCPv6 In
Enabled DHCP on IPv6 and Out to Both Allowed 0 / 0ms UDP * 546 * 547 %SystemRoot%\
and from the
Dhcp service

Allow ICMPv6
type 4 In and
ICMPv6
Out to and
Enabled Parameter Both Allowed 0 / 0ms ICMPv6 * * System
from the
Problem
System
process

Allow ICMPv6
type 136 In
ICMPv6
and Out to
Enabled Neighbor Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Advertisement
System
process

Allow ICMPv6
type 2 In and
ICMPv6
Out to and
Enabled Packet Too Both Allowed 0 / 0ms ICMPv6 * * System
from the
Big
System
process

Allow ICMPv6
type 132 In
ICMPv6
and Out to
Enabled Multicast Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Listener Done
System
process

Allow TCP
Out from the
Enabled Lsass lsass process Out Allowed 0 / 0ms TCP * * %SystemRoot%\
when on the
Domain

Allow ICMPv6
type 133 In
ICMPv6
and Out to
Enabled Router Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Solicitation
System
process
 Traffic Action Event Local Local Remote Remote
Status Rule name Description Protocol Executable filep
direction to take frequency IP port address port

Allow ICMPv6
ICMPv6
type 134 Out
Router
Enabled from the Out Allowed 0 / 0ms ICMPv6 fe80:: * System
Advertisement
System
out
process

ICMPv6 Allow ICMPv6

Router type 134 Into
Enabled In Allowed 0 / 0ms ICMPv6 * fe80:: System
Advertisement the System
in process

Allow ICMPv6
type 3 In and
ICMPv6 Time Out to and
Enabled Both Allowed 0 / 0ms ICMPv6 * * System
Exceeded from the
System
process

Allow
Receive ICMP
ICMPv4 type
destination
3 code 4
Enabled unreachable - In Allowed 0 / 0ms ICMPv4 * * System
Inbound to
fragmentation
the System
needed reply
process