Configuration
Policy settings
The settings are organized into the following sections:
General
In this section you can enable or disable the Bitdefender Firewall and configure the general settings.
Firewall
Use the check box to turn Firewall on or off.
Warning
If you turn off firewall protection, computers will be vulnerable to network and Internet attacks.
Allow Internet Connection Sharing (ICS)
Select this option to set the firewall to allow Internet Connection Sharing traffic.
Note
This option does not automatically enable ICS on the user's system.
Monitor Wi-Fi connections
Bitdefender security agent can inform users connected to a Wi-Fi network when a new computer joins the network.
To display such notifications on the user's screen, select this option.
Log verbosity level
Bitdefender security agent maintains a log of events regarding the Firewall module usage (enabling/disabling firewall, traffic blocking, modifying settings) or generated by the activities detected by this module (scanning ports, blocking connection attempts or traffic according to the rules). Choose an option from the Log verbosity level to specify how much information the log should include.
Block port scans
Port scans are frequently used by hackers to find out which ports are open on a computer. They might then break into the computer if they find a less secure or vulnerable port.
Enable the Exclusions check box to specify IP addresses for such scenarios where you are using scanners to report and assess endpoint vulnerabilities. Port scan exclusions are compatible with Bitdefender Endpoint Security Tools for Windows.
To add a port scan exclusion rule:
Enter the IP address in the corresponding field. You can also use the IP/CIDR format, such as 192.168.1.0/24.
Provide a short description to easily identify the exclusion rule.
If needed and to save time, enable Duplicate to Network Protection to automatically create the same exclusion in the Network Protection section.
Click Add exclusion to finish the process.
A new entry appears in the grid below.
If Duplicate to Network Protection is enabled, the same exclusion rule appears in the Network Protection section. However, to apply it there, make sure the Exclusions section in Network Protection is also enabled.
Note
The Duplicate to Network Protection option does not provide two-way synchronization between the Firewall and Network Protection modules. For example, if you delete a port scan exclusion in Firewall, its duplicate in Network Protection remains intact. The same is true if you delete an exclusion in Network Protection.
Bitdefender blocks a detected attacker IP address for a few minutes. The timer restarts with each detection made, even during this period. However, port scan exclusions get activated immediately, regardless an IP address was already blocked or they are applied during the blocking period.
Intrusion Detection System (IDS)
Intrusion Detection System monitors the system for suspicious activities (for example, unauthorized attempts to alter the Bitdefender files, DLL injections, keylogging attempts etc.).
Note
Intrusion Detection System (IDS) policy settings only apply to Endpoint Security (legacy security agent). Bitdefender Endpoint Security Tools agent integrates Host-Based Intrusion Detection System capabilities in its Advanced Threat Control (ATC) module.
To configure Intrusion Detection System:
Use the check box to turn Intrusion Detection System on or off.
Click the security level that best suits your needs (Aggressive, Normal or Permissive).
Use the description on the right side of the scale to guide your choice.
To prevent a legitimate application from being detected by Intrusion Detection System, add an ATC/IDS process exclusion rule for that application in the Antimalware > Settings > In-policy exclusions section.
Important
Intrusion Detection System is only available for Endpoint Security clients.
Settings
The firewall automatically applies a profile based on the trust level. You can have different trust levels for network connections, depending on the network architecture or on the type of the adapter used to establish the network connection. For example, if you have sub-networks within your company's network, you can set a trust level to each sub-network.
The settings are organized under the following tables:
Networks settings
If you want the Firewall to apply different profiles to several network segments within your company, you must specify the managed networks in the Networks table. Fill in the fields from the Networks table as described herein:
Name. Enter the name by which you can recognize the network in the list.
Type. Select from the menu the profile type assigned to the network.
Bitdefender security agent automatically applies one of the four network profiles to each detected network connection on the endpoint, to define the basic traffic filtering options. The profile types are:
Trusted network. Disables the firewall for the respective adapters. The traffic is allowed and not filtered.
Home/Office network. Allows all traffic to and from computers in the local network while the other traffic is being filtered.
Public network. All traffic is filtered.
Untrusted network. Completely blocks network and Internet traffic through the respective adapters.
Identification. Select from the menu the method through which the network will be identified by the Bitdefender security agent. The networks can be identified by three methods: DNS, Gateway and Network.
DNS: identifies all endpoints using the specified DNS.
Gateway: identifies all endpoints communicating through the specified gateway.
Network: identifies all endpoints from the specified network segment, defined by its network address.
MAC. Use this field to specify the MAC address of a DNS server or of a gateway that delimits the network, depending on the selected identification method.
You must enter the MAC address in the hexadecimal format, separated by hyphens (-) or colons (:). For example, both
00-50-56-84-32-2band00:50:56:84:32:2bare valid addresses.IP. Use this field to define specific IP addresses in a network. The IP format depends on the identification method as follows:
Network. Enter the network number in the CIDR format. For example,
192.168.1.0/24, where192.168.1.0is the network address and/24is the network mask.Gateway. Enter the IP address of the gateway.
DNS. Enter the IP address of the DNS server.
After you have defined a network, click the Add button at the right side of the table to add it to the list.
Adapters settings
If a network which is not defined in the Networks table is detected, the Bitdefender security agent detects the network adapter type and applies a corresponding profile to the connection.
The fields from the Adapters table are described as follows:
Type. Displays the type of the network adapters. Bitdefender security agent can detect three predefined adapter types: Wired, Wireless and Virtual (Virtual Private Network).
Network Type. Describes the network profile assigned to a specific adapter type. The network profiles are described in the network settings section. Clicking the network type field allows you to change the setting.
If you select Let Windows decide, for any new network connection detected after the policy is applied, Bitdefender security agent applies a profile for the firewall based on the network classification in Windows, ignoring the settings from the Adapters table.
If the detection based on Windows Network Manager fails, a basic detection is attempted. A generic profile is used, where the network profile is considered Public and the stealth settings are set to On.
When the endpoint joined in Active Directory connects to the domain, the firewall profile is automatically set to Home/Office and the stealth settings are set to Remote. If the computer is not in a domain, this condition is not applicable.
Network Discovery. Hides the computer from malicious software and hackers in the network or the Internet. Configure computer visibility in the network as needed, for each adapter type, by selecting one of the following options:
Yes. Anyone from the local network or the Internet can ping and detect the computer.
No. The computer is invisible from both the local network and the Internet.
Remote. The computer cannot be detected from the Internet. Anyone from the local network can ping and detect the computer.
Rules
In this section you can configure the application network access and data traffic rules enforced by the firewall.
Note that available settings apply only to the Home/Office and Public profiles.
Settings
You can configure the following settings:
Protection level
The selected protection level defines the firewall decision-making logic used when applications request access to network and Internet services.
The following options are available:
Ruleset and allow
Apply existing firewall rules and automatically allow all other connection attempts.
For each new connection attempt, a rule is created and added to the ruleset.
Ruleset and ask
Apply existing firewall rules and prompt the user for action for all other connection attempts.
An alert window with detailed information about the unknown connection attempt is displayed on the user's screen.
For each new connection attempt, a rule is created and added to the ruleset.
Ruleset and deny
Apply existing firewall rules and automatically deny all other connection attempts.
For each new connection attempt, a rule is created and added to the ruleset.
Ruleset, known files and allow
Apply existing firewall rules, automatically allow connection attempts made by known applications and automatically allow all other unknown connection attempts.
For each new connection attempt, a rule is created and added to the ruleset.
Ruleset, known files and ask
Apply existing firewall rules, automatically allow connection attempts made by known applications and prompt the user for action for all other unknown connection attempts.
An alert window with detailed information about the unknown connection attempt is displayed on the user's screen.
For each new connection attempt, a rule is created and added to the ruleset.
Ruleset, known files and deny
Apply existing firewall rules, automatically allow connection attempts made by known applications and automatically deny all other unknown connection attempts.
For each new connection attempt, the default action is taken. If the aggressive ruleset generation is enabled, a rule is created and added to the ruleset as well and the efficiency of the firewall's decision-making process the next time the same traffic is detected is going to be increased.
Note
Known files represent a large collection of safe, trustworthy applications, which is compiled and continuously maintained by Bitdefender.
Create aggressive rules
With this option selected, the firewall will create rules for each different process that opens the application requesting network or Internet access.
Create rules for applications blocked by IDS
With this option selected, the firewall will automatically create a Deny rule each time the Intrusion Detection System blocks an application.
Monitor process changes
Select this option if you want each application attempting to connect to the Internet to be checked whether it has been changed since the addition of the rule controlling its Internet access.
If the application has been changed, a new rule will be created according to the existing protection level.
Note
Usually, applications are changed by updates.
But there is a risk that they might be changed by malware applications, with the purpose of infecting the local computer and other computers in the network.
Signed applications are supposed to be trusted and have a higher degree of security.
You can select Ignore signed processes to automatically allow changed signed applications to connect to the Internet.
Rules
The Rules table lists the existing firewall rules, providing important information on each of them:
Rule name or application it refers to.
Protocol the rule applies to.
Rule action (allow or deny packets).
Actions you can take on the rule.
Rule priority.
Note
These are the firewall rules explicitly enforced by the policy.
Additional rules may be configured on computers as a result of applying firewall settings.
A number of default firewall rules help you easily allow or deny popular traffic types.
Choose the desired option from the Permission menu.
Incoming ICMP / ICMPv6
Allow or deny ICMP / ICMPv6 messages.
By default, this type of traffic is allowed.
Incoming Remote Desktop Connections
Allow or deny other computers' access over Remote Desktop Connections.
By default, this type of traffic is allowed.
Sending Emails
Allow or deny sending emails over SMTP.
By default, this type of traffic is allowed.
Web Browsing HTTP
Allow or deny HTTP web browsing.
By default, this type of traffic is allowed.
Network Printing
Allow or deny access to printers in another local area network.
By default, this type of traffic is denied.
Windows Explorer traffic on HTTP / FTP
Allow or deny HTTP and FTP traffic from Windows Explorer.
By default, this type of traffic is denied.
Besides the default rules, you can create additional firewall rules for other applications installed on endpoints.
This configuration however is reserved for administrators with strong networking skills.
To create and configure a new rule, click the 
Add button at the upper side of the table.
Refer to the following topic for more information.
To remove a rule from the list, select it and click the 
Delete button at the upper side of the table.
Note
You can neither delete nor modify the default firewall rules.
Configuring custom rules
You can configure two types of firewall rules:
Application-based rules
Such rules apply to specific software found on the client computers.
Connection-based rules
Such rules apply to any application or service that uses a specific connection.
To create and configure a new rule, click the Add button at the upper side of the table and select the desired rule type from the menu.
To edit an existing rule, click the rule name.
The following settings can be configured:
Rule name
Enter the name under which the rule will be listed in the rules table ( for example, the name of the application the rule applies to ).
Application path (only for application-based rules).
You must specify the path to the application executable file on the target computers.
Choose from the menu a predefined location and complete the path as needed.
For example, for an application installed in the
Program Filesfolder, select%ProgramFiles%and complete the path by adding a backslash (\) and the name of the application folder.Enter the full path in the edit field.
It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
Command line (only for application-based rules).
If you want the rule to apply only when the specified application is opened with a specific command in the Windows command line interface, type the respective command in the edit field. Otherwise, leave it blank.
Application MD5 (only for application-based rules).
If you want the rule to check the application's file data integrity based on its MD5 hash code, enter it in the edit field. Otherwise, leave the field blank.
Local Address
Specify the local IP address and port the rule applies to.
If you have more than one network adapter, you can clear the Any check box and type a specific IP address.
Likewise, to filter connections on a specific port or port range, clear the Any check box and enter the desired port or port range in the corresponding field.
Remote Address
Specify the remote IP address and port the rule applies to.
To filter the traffic to and from a specific computer, clear the Any check box and type its IP address.
Apply rule only for directly connected computers
You can filter access based on Mac address.
Protocol
Select the IP protocol the rule applies to.
If you want the rule to apply to all protocols, select Any.
If you want the rule to apply to TCP, select TCP.
If you want the rule to apply to UDP, select UDP.
If you want the rule to apply to a specific protocol, select that protocol from the Other menu.
Note
IP protocol numbers are assigned by the Internet Assigned Numbers Authority (IANA).
You can find the complete list of assigned IP protocol numbers at http://www.iana.org/assignments/protocol-numbers.
Direction
Select the traffic direction the rule applies to.
Direction
Description
Outbound
The rule applies only for the outgoing traffic.
Inbound
The rule applies only for the incoming traffic.
Both
The rule applies in both directions.
IP version
Select the IP version (IPv4, IPv6 or any) the rule applies to.
Network
Select the type of network the rule applies to.
Permission
Select one of the available permissions:
Permission
Description
Allow
The specified application will be allowed network / Internet access under the specified circumstances.
Deny
The specified application will be denied network / Internet access under the specified circumstances.
Click Save to add the rule.
For the rules you created, use the arrows at the right side of the table to set each rule priority. The rule with higher priority is closer to the top of the list.
Importing and Exporting Rules
You can export and import firewall rules to use them in other policies or companies. To export rules:
Click Export at the upper side of the rules table.
Save the CSV file to your computer. Depending on your browser settings, the file may download automatically, or you will be asked to save it to a location.
Important
Each row in the CSV file corresponds to a single rule and has multiple fields.
The position of firewall rules in the CSV file determines their priority. You can change the priority of a rule by moving the entire row.
For the default set of rules, you can modify only the following elements:
Priority: Set the priority of the rule in any order you wish by moving the CSV row.
Permission: Modify the field set. Permission using the available permissions:
1 for Allow
2 for Deny
Any other adjustments are discarded at import.
For custom firewall rules, all field values are configurable as follows:
Field | Name and Value |
|---|---|
ruleType | Rule type:
|
type | The value for this field is optional. |
details.name | Rule name |
details.applictionPath | Application MD5 (only for application-based rules) |
details.commandLine | Command line (only for application-based rules) |
details.applicationMd5 | Application MD5 (only for application-based rules) |
settings.protocol | Protocol
|
settings.customProtocol | Required only if Protocol is set to Other. For specific values, consider this page. The values 0, 4, 6, 41, 61, 63, 68, 99, 114, 124, 34-37,141-143 are not supported. |
settings.direction | Direction:
|
settings.ipVersion | IP version:
|
settings.localAddress.any | Local Address is set to Any:
|
settings.localAddress.ipMask | Local Address is set to IP or IP/Mask |
settings.remoteAddress.portRange | Remote Address is set to Port or port range |
settings.directlyConnected.enable | Apply rule only for directly connected computers:
|
settings.directlyConnected.remoteMac | Apply rule only for directly connected computers with MAC address filter. |
permission.home | The Network to which the rule applies is Home/Office:
|
permission.public | The Network to which the rule applies is Public:
|
permission.setPermission | Available permissions:
|
To import rules:
Click Import at the upper side of the Rules table.
In the new window, click Add and select the CSV file.
Click Save. The table is populated with the valid rules.