CLOUD SOLUTIONS

Configuration

Policy settings

The settings are organized into the following sections:

General

In this section you can enable or disable the Bitdefender Firewall and configure the general settings.

policy-eps-3_1-general.png
  • Firewall

    Use the check box to turn Firewall on or off.

    Warning

    If you turn off firewall protection, computers will be vulnerable to network and Internet attacks.

  • Block port scans

    Port scans are frequently used by hackers to find out which ports are open on a computer.

    They might then break into the computer if they find a less secure or vulnerable port.

  • Allow Internet Connection Sharing (ICS)

    Select this option to set the firewall to allow Internet Connection Sharing traffic.

    Note

    This option does not automatically enable ICS on the user's system.

  • Monitor Wi-Fi connections

    Bitdefender security agent can inform users connected to a Wi-Fi network when a new computer joins the network.

    To display such notifications on the user's screen, select this option.

  • Log verbosity level

    Bitdefender security agent maintains a log of events regarding the Firewall module usage (enabling/disabling firewall, traffic blocking, modifying settings) or generated by the activities detected by this module (scanning ports, blocking connection attempts or traffic according to the rules).

    Choose an option from the Log verbosity level to specify how much information the log should include.

  • Intrusion Detection System

    Intrusion Detection System monitors the system for suspicious activities (for example, unauthorized attempts to alter the Bitdefender files, DLL injections, keylogging attempts etc.).

    Note

    Intrusion Detection System (IDS) policy settings only apply to Endpoint Security (legacy security agent). Bitdefender Endpoint Security Tools agent integrates Host-Based Intrusion Detection System capabilities in its Advanced Threat Control (ATC) module.

    To configure Intrusion Detection System:

    1. Use the check box to turn Intrusion Detection System on or off.

    2. Click the security level that best suits your needs (Aggressive, Normal or Permissive).

      Use the description on the right side of the scale to guide your choice.

    To prevent a legitimate application from being detected by Intrusion Detection System, add an ATC/IDS process exclusion rule for that application in the Antimalware > Settings > Custom Exclusions section.

Important

Intrusion Detection System is only available for Endpoint Security clients.

Settings

The firewall automatically applies a profile based on the trust level. You can have different trust levels for network connections, depending on the network architecture or on the type of the adapter used to establish the network connection. For example, if you have sub-networks within your company's network, you can set a trust level to each sub-network.

The settings are organized under the following tables:

policy-eps-3_2-settings.png
Networks settings

If you want the Firewall to apply different profiles to several network segments within your company, you must specify the managed networks in the Networks table. Fill in the fields from the Networks table as described herein:

  • Name. Enter the name by which you can recognize the network in the list.

  • Type. Select from the menu the profile type assigned to the network.

    Bitdefender security agent automatically applies one of the four network profiles to each detected network connection on the endpoint, to define the basic traffic filtering options. The profile types are:

    • Trusted network. Disables the firewall for the respective adapters.

    • Home/Office network. Allows all traffic to and from computers in the local network while the other traffic is being filtered.

    • Public network. All traffic is filtered.

    • Untrusted network. Completely blocks network and Internet traffic through the respective adapters.

  • Identification. Select from the menu the method through which the network will be identified by the Bitdefender security agent. The networks can be identified by three methods: DNS, Gateway and Network.

    • DNS: identifies all endpoints using the specified DNS.

    • Gateway: identifies all endpoints communicating through the specified gateway.

    • Network: identifies all endpoints from the specified network segment, defined by its network address.

  • MAC. Use this field to specify the MAC address of a DNS server or of a gateway that delimits the network, depending on the selected identification method.

    You must enter the MAC address in the hexadecimal format, separated by hyphens (-) or colons (:). For example, both 00-50-56-84-32-2b and 00:50:56:84:32:2b are valid addresses.

  • IP. Use this field to define specific IP addresses in a network. The IP format depends on the identification method as follows:

    • Network. Enter the network number in the CIDR format. For example, 192.168.1.0/24, where 192.168.1.0 is the network address and /24 is the network mask.

    • Gateway. Enter the IP address of the gateway.

    • DNS. Enter the IP address of the DNS server.

After you have defined a network, click the Add button at the right side of the table to add it to the list.

Adapters settings

If a network which is not defined in the Networks table is detected, the Bitdefender security agent detects the network adapter type and applies a corresponding profile to the connection.

The fields from the Adapters table are described as follows:

  • Type. Displays the type of the network adapters. Bitdefender security agent can detect three predefined adapter types: Wired, Wireless and Virtual (Virtual Private Network).

  • Network Type. Describes the network profile assigned to a specific adapter type. The network profiles are described in the network settings section. Clicking the network type field allows you to change the setting.

    If you select Let Windows decide, for any new network connection detected after the policy is applied, Bitdefender security agent applies a profile for the firewall based on the network classification in Windows, ignoring the settings from the Adapters table.

    If the detection based on Windows Network Manager fails, a basic detection is attempted. A generic profile is used, where the network profile is considered Public and the stealth settings are set to On.

    When the endpoint joined in Active Directory connects to the domain, the firewall profile is automatically set to Home/Office and the stealth settings are set to Remote. If the computer is not in a domain, this condition is not applicable.

  • Network Discovery. Hides the computer from malicious software and hackers in the network or the Internet. Configure computer visibility in the network as needed, for each adapter type, by selecting one of the following options:

    • Yes. Anyone from the local network or the Internet can ping and detect the computer.

    • No. The computer is invisible from both the local network and the Internet.

    • Remote. The computer cannot be detected from the Internet. Anyone from the local network can ping and detect the computer.

Rules

In this section you can configure the application network access and data traffic rules enforced by the firewall.

Note that available settings apply only to the Home/Office and Public profiles.

policy-eps-3_3-rules.png
Settings

You can configure the following settings:

  • Protection level

    The selected protection level defines the firewall decision-making logic used when applications request access to network and Internet services.

    The following options are available:

    • Ruleset and allow

      Apply existing firewall rules and automatically allow all other connection attempts.

      For each new connection attempt, a rule is created and added to the ruleset.

    • Ruleset and ask

      Apply existing firewall rules and prompt the user for action for all other connection attempts.

      An alert window with detailed information about the unknown connection attempt is displayed on the user's screen.

      For each new connection attempt, a rule is created and added to the ruleset.

    • Ruleset and deny

      Apply existing firewall rules and automatically deny all other connection attempts.

      For each new connection attempt, a rule is created and added to the ruleset.

    • Ruleset, known files and allow

      Apply existing firewall rules, automatically allow connection attempts made by known applications and automatically allow all other unknown connection attempts.

      For each new connection attempt, a rule is created and added to the ruleset.

    • Ruleset, known files and ask

      Apply existing firewall rules, automatically allow connection attempts made by known applications and prompt the user for action for all other unknown connection attempts.

      An alert window with detailed information about the unknown connection attempt is displayed on the user's screen.

      For each new connection attempt, a rule is created and added to the ruleset.

    • Ruleset, known files and deny

      Apply existing firewall rules, automatically allow connection attempts made by known applications and automatically deny all other unknown connection attempts.

      For each new connection attempt, a rule is created and added to the ruleset.

    Note

    Known files represent a large collection of safe, trustworthy applications, which is compiled and continuously maintained by Bitdefender.

  • Create aggressive rules

    With this option selected, the firewall will create rules for each different process that opens the application requesting network or Internet access.

  • Create rules for applications blocked by IDS

    With this option selected, the firewall will automatically create a Deny rule each time the Intrusion Detection System blocks an application.

  • Monitor process changes

    Select this option if you want each application attempting to connect to the Internet to be checked whether it has been changed since the addition of the rule controlling its Internet access.

    If the application has been changed, a new rule will be created according to the existing protection level.

    Note

    Usually, applications are changed by updates.

    But there is a risk that they might be changed by malware applications, with the purpose of infecting the local computer and other computers in the network.

    Signed applications are supposed to be trusted and have a higher degree of security.

    You can select Ignore signed processes to automatically allow changed signed applications to connect to the Internet.

Rules

The Rules table lists the existing firewall rules, providing important information on each of them:

  • Rule name or application it refers to.

  • Protocol the rule applies to.

  • Rule action (allow or deny packets).

  • Actions you can take on the rule.

  • Rule priority.

Note

These are the firewall rules explicitly enforced by the policy.

Additional rules may be configured on computers as a result of applying firewall settings.

A number of default firewall rules help you easily allow or deny popular traffic types.

Choose the desired option from the Permission menu.

  • Incoming ICMP / ICMPv6

    Allow or deny ICMP / ICMPv6 messages.

    ICMP messages are often used by hackers to carry out attacks against computer networks.

    By default, this type of traffic is allowed.

  • Incoming Remote Desktop Connections

    Allow or deny other computers' access over Remote Desktop Connections.

    By default, this type of traffic is allowed.

  • Sending Emails

    Allow or deny sending emails over SMTP.

    By default, this type of traffic is allowed.

  • Web Browsing HTTP

    Allow or deny HTTP web browsing.

    By default, this type of traffic is allowed.

  • Network Printing

    Allow or deny access to printers in another local area network.

    By default, this type of traffic is denied.

  • Windows Explorer traffic on HTTP / FTP

    Allow or deny HTTP and FTP traffic from Windows Explorer.

    By default, this type of traffic is denied.

Besides the default rules, you can create additional firewall rules for other applications installed on endpoints.

This configuration however is reserved for administrators with strong networking skills.

To create and configure a new rule, click the add.png Add button at the upper side of the table.

Refer to the following topic for more information.

To remove a rule from the list, select it and click the delete.png Delete button at the upper side of the table.

Note

You can neither delete nor modify the default firewall rules.

Configuring custom rules

You can configure two types of firewall rules:

  • Application-based rules

    Such rules apply to specific software found on the client computers.

  • Connection-based rules

    Such rules apply to any application or service that uses a specific connection.

To create and configure a new rule, click the add.png Add button at the upper side of the table and select the desired rule type from the menu.

To edit an existing rule, click the rule name.

The following settings can be configured:

  • Rule name

    Enter the name under which the rule will be listed in the rules table ( for example, the name of the application the rule applies to ).

  • Application path (only for application-based rules).

    You must specify the path to the application executable file on the target computers.

    • Choose from the menu a predefined location and complete the path as needed.

      For example, for an application installed in the Program Files folder, select %ProgramFiles% and complete the path by adding a backslash (\) and the name of the application folder.

    • Enter the full path in the edit field.

      It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.

  • Command line (only for application-based rules).

    If you want the rule to apply only when the specified application is opened with a specific command in the Windows command line interface, type the respective command in the edit field. Otherwise, leave it blank.

  • Application MD5 (only for application-based rules).

    If you want the rule to check the application's file data integrity based on its MD5 hash code, enter it in the edit field. Otherwise, leave the field blank.

  • Local Address

    Specify the local IP address and port the rule applies to.

    If you have more than one network adapter, you can clear the Any check box and type a specific IP address.

    Likewise, to filter connections on a specific port or port range, clear the Any check box and enter the desired port or port range in the corresponding field.

  • Remote Address

    Specify the remote IP address and port the rule applies to.

    To filter the traffic to and from a specific computer, clear the Any check box and type its IP address.

  • Apply rule only for directly connected computers

    You can filter access based on Mac address.

  • Protocol

    Select the IP protocol the rule applies to.

    • If you want the rule to apply to all protocols, select Any.

    • If you want the rule to apply to TCP, select TCP.

    • If you want the rule to apply to UDP, select UDP.

    • If you want the rule to apply to a specific protocol, select that protocol from the Other menu.

      Note

      IP protocol numbers are assigned by the Internet Assigned Numbers Authority (IANA).

      You can find the complete list of assigned IP protocol numbers at http://www.iana.org/assignments/protocol-numbers.

  • Direction

    Select the traffic direction the rule applies to.

    Direction

    Description

    Outbound

    The rule applies only for the outgoing traffic.

    Inbound

    The rule applies only for the incoming traffic.

    Both

    The rule applies in both directions.

  • IP version

    Select the IP version (IPv4, IPv6 or any) the rule applies to.

  • Network

    Select the type of network the rule applies to.

  • Permission

    Select one of the available permissions:

    Permission

    Description

    Allow

    The specified application will be allowed network / Internet access under the specified circumstances.

    Deny

    The specified application will be denied network / Internet access under the specified circumstances.

Click Save to add the rule.

For the rules you created, use the arrows at the right side of the table to set each rule priority. The rule with higher priority is closer to the top of the list.

Importing and Exporting Rules

You can export and import firewall rules to use them in other policies or companies. To export rules:

  1. Click Export at the upper side of the rules table.

  2. Save the CSV file to your computer. Depending on your browser settings, the file may download automatically, or you will be asked to save it to a location.

Important

  • Each row in the CSV file corresponds to a single rule and has multiple fields.

  • The position of firewall rules in the CSV file determines their priority. You can change the priority of a rule by moving the entire row.

For the default set of rules, you can modify only the following elements:

  • Priority: Set the priority of the rule in any order you wish by moving the CSV row.

  • Permission: Modify the field set. Permission using the available permissions:

    • 1 for Allow

    • 2 for Deny

Any other adjustments are discarded at import.

For custom firewall rules, all field values are configurable as follows:

Field

Name and Value

ruleType

Rule type:

  • 1 for Application Rule

  • 2 for Connection Rule

type

The value for this field is optional.

details.name

Rule name

details.applictionPath

Application MD5 (only for application-based rules)

details.commandLine

Command line (only for application-based rules)

details.applicationMd5

Application MD5 (only for application-based rules)

settings.protocol

Protocol

  • 1 for Any

  • 2 for TCP

  • 3 for UDP

  • 4 for Others

settings.customProtocol

Required only if Protocol is set to Other.

For specific values, consider this page. The values 0, 4, 6, 41, 61, 63, 68, 99, 114, 124, 34-37,141-143 are not supported.

settings.direction

Direction:

  • 1 for Both

  • 2 for Inbound

  • 3 for Outbound

settings.ipVersion

IP version:

  • 1 for Any

  • 2 for IPv4

  • 3 for IPv6

settings.localAddress.any

Local Address is set to Any:

  • 1 for True

  • 0 or empty for False

settings.localAddress.ipMask

Local Address is set to IP or IP/Mask

settings.remoteAddress.portRange

Remote Address is set to Port or port range

settings.directlyConnected.enable

Apply rule only for directly connected computers:

  • 1 for Enabled

  • 0 for empty or disabled

settings.directlyConnected.remoteMac

Apply rule only for directly connected computers with MAC address filter.

permission.home

The Network to which the rule applies is Home/Office:

  • 1 for True

  • 0 for empty or False

permission.public

The Network to which the rule applies is Public:

  • 1 for True

  • 0 for empty or False

permission.setPermission

Available permissions:

  • 1 for Allow

  • 2 for Deny

To import rules:

  1. Click Import at the upper side of the Rules table.

  2. In the new window, click Add and select the CSV file.

  3. Click Save. The table is populated with the valid rules.