Falcon Firewall Management
Falcon Firewall Management
Contents:
Overview
Before you begin
Requirements
Overview
Centrally manage the firewalls on your Windows and macOS hosts from Falcon console using Falcon Firewall Management, based on the Windows Filtering Platform
or CrowdStrike platform (for macOS). Secure your hosts from network threats by allowing or blocking network traffic in accordance with your organization’s policies.
Before you begin
Firewall policies are enforced on hosts by using host groups. For info about creating host groups, see Host and Host Group Management.
Requirements
Subscription: Falcon Firewall Management
Sensor Support:
Windows
Falcon sensor for Windows version 6.33 and later. Sensor version 6.42 or later is required for wildcard support.
Note: If a Falcon firewall policy is applied to a host running an earlier sensor version, the host will have a firewall policy state of pending changes until it
updates to a sensor that supports Falcon firewall management.
macOS
Requires macOS Sensor version 6.33 or later. Sensor version 6.41 or later is required for wildcard support.
Note: The beta version of firewall management is available on sensors 6.31 and 6.32. However rule enforcement issues might occur. We
recommend updating to version 6.33 or later. If a Falcon firewall policy is applied to a host with an earlier sensor version, the host shows a firewall
policy state of Pending Changes until it updates to a sensor that supports Falcon firewall management.
Support for Advanced Protocols: For info, see Support for Advanced Protocols
ICMP connections: To block incoming ICMP connections, enable stealth mode in macOS System Preferences
Roles:
Firewall Manager: Create and edit firewall rules, assign firewall rule groups to firewall policies, and assign firewall policies to host groups.
Note: The Firewall Manager role doesn’t include the ability to create and edit host groups themselves. The Falcon Administrator role is required for host
group management.
These roles can view firewall rules, rule groups, policies, and audit logs:
Falcon Administrator
Falcon Analyst
Falcon Investigator
Rules: Individual firewall rules define precise network traffic that is allowed or blocked and whether you want to see associated events in the console.
Rule groups: Use firewall rule groups to organize firewall rules. You can start with an empty group and build it out, or start with a CrowdStrike preset rule group, a
collection of core rules that you can edit for your needs. You can also start a new rule group by copying one of your own groups to edit as needed. Rules are enforced
in the precedence order you define in their rule group.
Policies: Use policies to enforce firewall rules. You assign rule groups to a policy and then configure the policy to allow or block any remaining network traffic that is
not defined by the rules in its rule groups.
Firewall rule groups are enforced in the precedence order you define within a policy.
Policy precedence handles situations where a host is assigned to more than one policy.
Implementation overview
Implementing a set of Falcon firewall rules and policy to secure your hosts from network threats involves these key steps:
Determine the network traffic you need to allow, block, and review.
Make sure you have host groups that are aligned with how you need to apply firewall policies.
Define the traffic you will allow and block in your firewall rules
Falcon provides two options to report firewall events in Endpoint security > Firewall > Activity during testing:
At the individual rule level, turn on Watch mode to report all matching traffic.
At the policy level, temporarily turn on Monitor mode to allow traffic that would normally be blocked by the policy and report all associated events.
Rollout/Go Live
Build out your firewall rule groups, rules, and policies.
Important: Improper implementation of firewall rules can cause a major issue that requires manual remediation. Always be aware of the potential impact Firewall rules
might have on your environment.
CrowdStrike has certain safeguards in place to reduce the risk:
Click an Edit rule group icon to go to that rule group’s Rule group details.
Rule group details opens to a view of the Rules tab. Use the icons on the top right of the table for Table export options and Toggle table options to customize the
columns you see.
In the Actions column, click an Edit rule icon to see and edit an individual firewall rule.
Create a firewall rule group
To begin setting up your organization’s firewall in Falcon console, create a rule group.
3. Enter a group name and description in the New rule group details dialog. Click Next.
5. There are three options to start a new firewall rule group. Start from scratch or modify an existing rule group. Select an option and click Create Rule Group.
Rule group you’ve created: Copies an existing firewall rule group and its firewall rules
CrowdStrike preset rule group: Makes a rule group with our collection of core networking firewall rules
6. Your firewall rule group is created, and you see the Rules tab of its Rule group details.
7. Next: Create new firewall rules or Edit the rules in the group.
1. Go to the Endpoint security > Firewall > Rule groups page and click the Edit rule group icon for the rule group you want to edit.
3. Click the Edit rule group icon for the rule group you want to edit.
4. On the Rules tab of the Rule group details, click Edit rule group.
5. Make your changes in the Edit rule group dialog and click Save.
screenshot of the edit rule group dialog where you can change the name and description of the group
3. Click the Edit rule group icon for the rule group where you’ll add the new rule.
4. On the Rules tab of the Rule group details, click Create new rule.
5. In the Add new firewall rule dialog, define the rule in the firewall rule dialog fields.
6. To configure a rule for executables with dynamic file paths, include a wildcard in the Executable Filepath field. To confirm that the wildcard works as
expected, enter a URL in the Test String field.
Edit a rule
You can edit all existing firewall rule parameters. Review firewall rule versions and rule IDs for information about what changes when edits are made.
1. Go to the Endpoint security > Firewall > Rule groups page and click the Edit rule group icon for the rule group where you’ll add your new rule.
2. On the Rules tab of the Rule group details card, click an Edit rule icon in the Actions column to see and edit an individual firewall rule.
3. Make your changes in the firewall rule dialog fields and click Edit Firewall Rule.
4. On the Rules tab of Rule group details, click Save.
Address Family: Your selection determines how address formats you enter in the Local Address and Remote Address fields are parsed and validated.
If you are creating a rule that defines addresses, select the family address you’re using:
IPv4
IPv6
Local Address and Remote Address: Enter the local IP addresses and remote IP addresses the rule will match, if any. Related Firewall Events report the exact address
involved in the connection that matches the rule. The Local Address and Remote Address fields support the same values:
Important: every address defined in these fields must be either IPv4 OR IPv6, matching the protocol selected in Address Family for this rule.
Semicolons can be used to separate individual IP addresses and ranges (limited to 1,000 identified addresses)
CIDR notation with a network prefix as a single integer from 1-32, inclusive
IPv6: Define a single IP address or use CIDR notation to define an address range. Single integers from 1-128, inclusive
192.168.0.0/8
10.0.0,1,3-7.-
fe80::a8bb:ccff:fedd:eeff
1022::beef:168:aa30:a09/120,
5aef:2b::8/112
::1
192.168.1-254.1-254
Local Port and Remote Port: Enter the local ports and remote ports the rule will match, if any. Format the Local Port and Remote Port fields using these supported
parameters:
Combinations of single values and ranges in a single rule: Define using an array. For example, 22, 80-88.
Inbound: Rule will apply to network traffic from the Remote Address/Port to the Local Address/Port.
Outbound: Rule will apply to network traffic from the Local Address/Port to the Remote Address/Port.
Inbound and outbound: Rule will apply to all network traffic between the Remote Address/Port and the Local Address/Port.
Any
TCP
UDP
ICMPv4
ICMPv6
Note: macOS doesn't have visibility into and cannot block SSH connections.
Advanced
When you select Advanced, the Protocol Number field is made available so you can enter the next level protocol, also known as the transport layer protocol:
See the Internet Assigned Numbers Authority's (IANA) official list of protocols: iana.org
Watch Mode: Select this option to see the events associated with this rule in Endpoint security > Firewall > Activity. You might want to use this setting for
troubleshooting, testing a newly added firewall rule, or monitoring a critical firewall rule.
Note: Turn on watch mode to report events associated with the rule. When watch mode is enabled, one event per hour is viewable for the rule.
Network Profile: Specify the Windows network location profiles where this firewall rule should be applied:
Any
Domain
Private
Public
Use this field to create a process-specific firewall rule. For example, this can be useful if you need to allow a program in a certain folder access to a port that is blocked
to all other traffic by another firewall rule. When this field is blank the rule is applied for all processes. Your input must adhere to the following guidelines.
The value can also be a fully specified UNC path for network locations, such as: \\server\share\file\to\path.exe
Note: If the sensor can’t resolve the drive letter entered in this field when the rule is enforced, it reports a FirewallRuleApplicationFailed event in Endpoint
security > Firewall > Activity.
Include glob syntax to create a wildcard rule for a dynamic file path. For more info, see glob syntax.
Note: Enclose individual bracket characters ( [ or ] ) in the input field inside of additional square brackets.
This case sensitive field appears when the system detects glob syntax in the Executable Filepath field. To confirm that the wildcard works as expected, enter sample
URLs.
Service Name (optional): Enter a specific service name for the rule to match. This is converted to a Service SID, which Windows Filtering Platform can match. When
this field is blank the rule is applied for all services.
You can configure multiple criteria per network location and link them to Firewall rules. There are five passive criteria that can instantly detect changes to endpoint
and/or network configuration.
Criteria
Connection type & Checks for wired or wireless connection and optionally determines if a wireless connection is encrypted and/or identified by a known
SSID SSID.
DHCP server address Checks the IP address of the host’s DHCP server.
DNS server address Checks the IP address of the host’s DNS servers.
There are three active criteria available that cause the Falcon Sensor to probe your network for certain conditions. These probes are triggered whenever the Falcon
Sensor detects changes in the network configuration or at regular polling intervals set by you. The polling interval you choose for each active criteria is applied across
all network locations for that criteria. For example, all network locations in your CID that use a DNS resolution test will use the same polling interval.
Note: These criteria detect changes asynchronously, and there may be a noticeable delay in evaluating a new location.
Criteria
Ping test Tests domain names or IP addresses for response to a ping request.
DNS
Tests whether the domain names can be resolved by the host. Optionally, you can provide the IP addresses you expect.
resolution test
Tests whether the domain names can be reached using HTTPS. Optionally, specify a port using the standard notation as defined in RFC 2396,
HTTPS
such as internal-service.company.com:8000 . The server must be using a valid SSL certificate trusted on the host. Untrusted self-
certificate test
signed certificates are rejected.
We recommend you use the active criteria sparingly or consider lengthening the time between polling to prevent excessive system load. Also, keep in mind that Ping,
DNS resolution, and HTTPS certificate tests are asynchronous and won’t detect changes instantly.
For example, you may want to create a network location to detect whether the host is on the company VPN to allow access to various resources on the company
network. If you have a DNS server located at an IP address of 123.1.1.2 that is assigned to the host only when it is on the VPN, you can create a network location
and add a criteria for that DNS server address. Then that network location becomes active when the host is on the VPN. Then you can add that network location to a
Firewall rule that only activates when the VPN is connected. This approach provides instant detection of location changes and creates less load on your network.
Alternatively, if you have an internal domain that is only reachable via VPN and has an HTTPS certificate signed by a trusted Certificate Authority (CA), such as
intranet.company.local , you can create a network location using the HTTPS certificate criteria. That network location becomes active when
intranet.company.local is reachable through the VPN and has an HTTPS certificate signed by a trusted CA. You can then add that network location to a
Firewall rule that only activates when the VPN is connected and intranet.company.local is reachable with a valid SSL certificate. While this approach provides
stronger security against potential spoofing, it creates more load on your network and may not apply instantly because it is asynchronous.
When more than one network location is detected, the one with the highest precedence is activated. To reorder them, click Edit precedence then drag and drop them
directly in the list.
1. In the console, navigate to Endpoint security > Firewall > Network locations.
If you select Connection type & SSID, you can choose wireless or ethernet. When you select wireless, you’ll have the additional option of limiting the
criteria to encrypted networks and/or SSIDs.
Note: SSIDs are easily spoofed and are therefore a less secure option.
For Gateway IP address, DHCP server address, DNS server address, or Host IP address criteria, enter the network addresses (IPv4, IPv6, or CIDR
block) to use.
When you select the DNS resolution test, you’ll be prompted to enter a domain name and set the polling interval. Optionally, you can configure the IP
addresses to expect.
Note: If the resolved IP addresses do not match any of the expected IP addresses you provided, the criteria will fail even if the domain name can be
resolved.
For the HTTPS certificate test criteria, you’ll be prompted to enter a domain name and set the polling interval. You can also set a TCP port, such as
company.com:8000.
To configure the Ping test criteria, enter the domain names or IP addresses to target with an ICMP request and set the polling interval.
7. To enable this location, select Enable location from the Action dropdown menu.
Your custom locations are available in the Create a rule group modal.
To duplicate or delete a custom network location, go to Endpoint security > Firewall > Network locations. Then click to open the location and select Duplicate
location or Delete location from the Action dropdown menu.
Note: Custom network locations are currently only available for macOS.
A firewall rule’s Rule ID always stays the same. When rules are copied, the copies of the rules each get their own unique Rule ID.
A rule’s Version number changes each time it’s edited. This makes it possible to distinguish firewall events from different versions of the same rule. From the details
panel of any firewall event, click the Rule Name or Rule Version to go to the parameters defined in the specific version of the rule that triggered the event.
1. Go to Endpoint security > Firewall > Rule groups, click the edit icon for a rule group.
2. Click Edit precedence to activate the UP/DOWN arrow controls.
4. Click Save.
Rule group
Enable or disable a rule group from the Rules tab of a Rule Group Details page. Go to Endpoint security > Firewall > Rule groups and click the edit icon for a rule
group. The options to Enable/Disable the rule group is in the upper right corner.
Rule
Enable or disable an individual rule from the Rules tab of a Rule group details page.
1. Go to Endpoint security > Firewall > Rule groups land click the edit icon for a rule group.
Rule group
Delete a firewall rule group you no longer need from its Rules tab of a Rule group details page (Endpoint security > Firewall > Rule groups and click the edit icon for a
rule group). The option to Delete the rule group is in the upper right corner.
Rule
Delete firewall rules you no longer need from the Rules tab of a Rule group details page (Endpoint security > Firewall > Rule groups and click the edit icon for a rule
group).
Go to the Endpoint security > Firewall > Rule groups page and click the Edit rule group icon for the rule group you want to see. Click the Firewall Policies tab to view
the firewall policies the rule group is in, and click Go to policies to go to the Firewall Policies page.
See Assigning firewall rule groups to a firewall policy for more information.
macOS sensor version 6.41 or later is loaded and running for wildcard support
Windows sensor version 6.42 or later is loaded and running for wildcard support
Full revision history of every firewall rule and rule group In the top right corner of the Firewall rule groups page, click See audit log
Revision history of firewall rules within a specific rule group Go to the firewall rule group’s Rule group details page and click the Audit Log tab
Sort columns to group your view of the log. Logged revisions are defined in the Action column as Created, Updated, or Deleted.
For updates to rule groups, the revision’s details include whether it was enabled or disabled.
When individual rules have been updated, see the detailed changes that were made.
3. Falcon applies the policy settings to each host based on its host group membership and policy precedence
If a host doesn't belong to any host groups assigned to a policy, it automatically uses the settings defined in the default policy.
Click an Edit Policy icon on the right to see details and edit an individual policy.
Policy details are configured and displayed on four tabs:
Settings: Where to define whether and how the policy is applied to assigned host groups.
Assigned Host Groups: Where to define which host groups will use the settings of the policy if it is enforced.
Assigned Rule Groups: Where to assign the firewall rule groups to the policy, and the order in which they are enforced.
Rules Summary: All of the individual firewall rules in the policy’s assigned firewall rule groups shown in the order in which they are enforced.
1. Go to Endpoint security > Firewall > Policies and click Create new policy.
2. In the Create Policy Details dialog, give your policy a name and description. Click Next to continue.
3. There are two options to start a new firewall policy. Start from scratch or modify an existing policy.
Empty Policy makes a new policy that contains no rule groups.
Existing Policy copies one of your firewall policies with all of its assigned rule groups (but not host groups). Select one of your policies and click Create
Policy.
4. Your firewall policy is created, and you see the Settings tab of its Policy details.
1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for the policy you want to assign rules groups to.
2. Go to the firewall policy’s Assigned rule groups tab, and click Assign rule groups.
3. In the Assign firewall rule group dialog, select rule groups, and click Assign to Policy.
4. Your selections are added to the list of Assigned rule groups in the position of lowest precedence.
Note: Assigning a rule group to a policy does not change the rule group’s enabled or disabled status. Quickly get to a rule group’s details by clicking the
Edit icon in the Actions column to enable or disable it.
1. Go to Endpoint security > Firewall > Policies, click the edit icon for a policy.
1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for the policy. you want to assign rules groups to.
Windows
This disables the Windows hosts’ OS firewall rules. Falcon’s firewall rules take full precedence over the individual hosts in the assigned host groups
existing Windows firewall settings. Any Windows firewall settings, such as those created using Windows group policies, remain on the system but do
not function.
macOS
When the CrowdStrike Firewall is enforced on macOS hosts, it doesn’t override the OS firewall but works alongside it. As a result both firewalls can be
active simultaneously. Both firewalls must be configured to allow for given traffic in order for it to flow. The OS firewall takes action first, so if the OS
firewall blocks a piece of network traffic first, the Falcon Firewall won’t have visibility.
For example, if the macOS firewall is configured to allow, and the CrowdStrike Firewall is configured to block, the block occurs. If the macOS firewall is
configured to block, and the CrowdStrike Firewall is configured to allow, the connection is blocked.
Monitor Mode: Temporarily turn on this setting to allow traffic that would normally be blocked by the policy and report all associated events in Endpoint
security > Firewall > Activity, where the Action taken for these events is labeled Would be blocked.
Note: During testing, if the noise is too high, or you need to determine whether the firewall events you’re seeing are from a firewall rule or default
traffic rule: temporarily set the default traffic rules to Allow All. Remember to switch them back to the desired setting when you finish testing and
disable Monitor Mode.
Local Logging (Windows and macOS): Turn on this setting to record all traffic that matches rules assigned to this policy. When enabled, it creates a CSV file
with the base name hbfw.log on the host at %SystemRoot%\System32\Drivers\CrowdStrike\ for Windows and
/Library/Application Support/CrowdStrike/Falcon/ for macOS. Each CSV file is limited to 5 MB. Up to the 5 most recent CSV files are stored
on the host.
The CSV file contains the following information for each record:
Rule Version
Action
Direction
Local Address
Local Port
Remote Address
Remote Port
UPID
PID
Check the rule_count value. By default, this value is greater than 0 which includes 25 core rules and the default traffic rules at the policy level (inbound
and outbound). If the value displayed increases or decreases, it indicates that a rule was added/enabled or removed/disabled.
This value is the current firewall channel file version for the sensor. When this value changes, this indicates that the latest policy and rule settings are
present on the endpoint.
CrowdStrike recommends setting your default rule for inbound traffic to Block All.
Policy precedence lets you configure your Firewall policies so that when a policy is disabled, host groups adopt the next highest ranking enabled policy they’re
assigned to.
Policy precedence determines which policy's settings are applied to a host when the host is a member of more than one policy. Define policies with different
precedences to resolve conflicts. Then, when faced with a conflict, the cloud automatically applies the policy with the higher precedence (1 being higher than 2, which
is higher than 3, and so on).
On a host, the policy with the highest ranking precedence (1 being highest) is applied and active. If something changes with that highest-ranking policy, for example if
it gets disabled, then the next highest-ranking policy gets applied and becomes active.
Each host can belong to one or more host groups. Host groups can be assigned one or more policies. With dynamic groups, a newly-installed sensor inherits the
relevant groups and applies the policy with highest precedence to the host. This provides the host with its initial policy settings.
If a host is not a part of any groups, or the groups it belongs to have no policies assigned, it is automatically assigned to the default policy.
1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy.
1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy.
4. In the Add Groups to Policy dialog, select one or more host groups.
When a firewall policy is disabled, hosts adopt the settings and rules from the next firewall policy they are assigned to according to precedence. If a host doesn't
belong to any host groups assigned to a firewall policy, it automatically uses the settings defined in the default firewall policy.
When a host group is no longer assigned to any firewall policies that are both enforced and enabled, the Falcon Firewall is removed from its hosts. When a Windows
host stops receiving firewall policy from Falcon, it reverts back to its Windows firewall settings. Since macOS firewall settings are enforced concurrently with the
Falcon firewall, when you remove the Falcon firewall, the macOS firewall settings remain active.
Note: Admins can modify the Windows firewall on hosts while Falcon is managing the firewall, but the changes don’t take effect unless the host stops
receiving firewall policy from Falcon.
To enable or disable a policy:
Windows
1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy
macOS
CrowdStrike recommends following the same steps given above to manage macOS firewall settings from the Falcon console. However, in the event of an emergency
or for troubleshooting you can disable and enable the firewall and event monitoring by running these commands in the terminal:
1. Go to Endpoint security > Firewall > Policies and click the Edit Policy icon for a policy
Note: The Windows or macOS firewall settings show the settings that the host would revert to if Falcon firewall policy was removed. Admins can modify
the Windows or macOS firewall on hosts while Falcon is managing the firewall, but the changes don’t take effect unless the host stops receiving firewall
policy from Falcon.
Check compliance
Windows
If your organization requires a compliance check performed by applications like VPN software, we provide a registry key called EnforcementLevel located under
HKLM\Software\CrowdStrike\FWPolicy. A value of 1 indicates that the firewall is enabled and enforced.
macOS
If your organization requires a compliance check performed by applications like VPN software run sudo
/Applications/Falcon.app/Contents/Resources/falconctl stats hbfw . If the values for data, packet, and rule_count are more than 0 (zero), this
confirms that the firewall is enabled and enforced.
In the output, locate ===hbfw=== and look for these three values:
data
packet
rule_count
If these values are all 0 (zero), then this means that the firewall is not enabled and not enforced.
data: 0
log: 0
packet: 0
rule_count: 0
data: 27
log: 0
packet: 2
rule_count: 27
You can also use these value outputs to check for compliance.
This issue won’t affect most, if any, of your hosts. When advanced protocols are used, CrowdStrike recommends you enable and test the packet provider before
deploying. After the packet provider is enabled, the sensor doesn’t need to be reloaded and a new firewall policy isn’t required. Rules in the deployed policy with an
advanced protocol are immediately enforced.
Allow ICMPv6
type 135 In
ICMPv6
and Out to
Enabled Neighbor Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Solicitation
System
process
Allow ICMPv6
echo reply
Receive ICMP
Enabled Inbound to In Allowed 0 / 0ms ICMPv6 * * System
ping reply
the System
process
Allow ICMPv6
ICMPv6 type 130 In
Multicast and Out to
Enabled Both Allowed 0 / 0ms ICMPv6 * * System
Listener and from the
Query System
process
Allow IGMP
(Internet
Group
Internet Group
Management)
Enabled Management Both Allowed 0 / 0ms 2 * * System
In and Out to
(IGMP)
and from the
System
process
Traffic Action Event Local Local Remote Remote
Status Rule name Description Protocol Executable filep
direction to take frequency IP port address port
Allow ICMPv6
ICMPv6 type 131 In
Multicast and Out to
Enabled Both Allowed 0 / 0ms ICMPv6 * * System
Listener and from the
Report System
process
Allow DHCP
In and Out to
Enabled DHCP on IPv4 Both Allowed 0 / 0ms UDP * 68 * 67 %SystemRoot%\
and from the
Dhcp service
Allow TCP
Out from the
Microsoft DS Group Policy
Enabled Out Allowed 0 / 0ms TCP * * %SystemRoot%\
Group Policy service when
on the
Domain
Allow DNS
Out from the
Enabled DNS request Out Allowed 0 / 0ms UDP * * 53 %SystemRoot%\
Dnscache
service
Allow UDP
Out from the
Network Time
Enabled W32Time Out Allowed 0 / 0ms UDP * * 123 %SystemRoot%\
Protocol
service to
NTP port
Allow TCP
from the
System
Microsoft DS
process to DS
Enabled Network Out Allowed 0 / 0ms TCP * * 445 System
network
Sharing
share port
when on the
Domain
Allow ICMPv6
ICMPv6
type 143 In
Multicast
and Out to
Enabled Listener Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Report version
System
2
process
Traffic Action Event Local Local Remote Remote
Status Rule name Description Protocol Executable filep
direction to take frequency IP port address port
Allow
DHCPv6 In
Enabled DHCP on IPv6 and Out to Both Allowed 0 / 0ms UDP * 546 * 547 %SystemRoot%\
and from the
Dhcp service
Allow ICMPv6
type 4 In and
ICMPv6
Out to and
Enabled Parameter Both Allowed 0 / 0ms ICMPv6 * * System
from the
Problem
System
process
Allow ICMPv6
type 136 In
ICMPv6
and Out to
Enabled Neighbor Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Advertisement
System
process
Allow ICMPv6
type 2 In and
ICMPv6
Out to and
Enabled Packet Too Both Allowed 0 / 0ms ICMPv6 * * System
from the
Big
System
process
Allow ICMPv6
type 132 In
ICMPv6
and Out to
Enabled Multicast Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Listener Done
System
process
Allow TCP
Out from the
Enabled Lsass lsass process Out Allowed 0 / 0ms TCP * * %SystemRoot%\
when on the
Domain
Allow ICMPv6
type 133 In
ICMPv6
and Out to
Enabled Router Both Allowed 0 / 0ms ICMPv6 * * System
and from the
Solicitation
System
process
Traffic Action Event Local Local Remote Remote
Status Rule name Description Protocol Executable filep
direction to take frequency IP port address port
Allow ICMPv6
ICMPv6
type 134 Out
Router
Enabled from the Out Allowed 0 / 0ms ICMPv6 fe80:: * System
Advertisement
System
out
process
Allow ICMPv6
type 3 In and
ICMPv6 Time Out to and
Enabled Both Allowed 0 / 0ms ICMPv6 * * System
Exceeded from the
System
process
Allow
Receive ICMP
ICMPv4 type
destination
3 code 4
Enabled unreachable - In Allowed 0 / 0ms ICMPv4 * * System
Inbound to
fragmentation
the System
needed reply
process