SentinelOne Firewall Control lets you manage endpoint firewall settings from your SentinelOne Management Console. Use Firewall Control to define which network traffic, applications, and connections are allowed in and out of endpoints.
Firewall Control policy can be Global, for a Site, or for a Group. Groups and Sites can inherit policies or have their own.
Define the policy in the Management Console in Network > Firewall Control. The Firewall Control policy includes Settings and Rules:
- Settings: Turn Firewall Control on or off and define the inheritance settings. The same settings apply to Windows and macOS endpoints.
- Rules: Create and organize rules to allow or block network traffic. There are different sets of rules for Windows and macOS endpoints.
Changes to the Firewall Control policy show in Activity > Operations > Firewall Control.
In this release Firewall Control events do not have logs in the Management Console.
In this release there are no default rules. All traffic is allowed if you do not block it explicitly.
Note: When you enable SentinelOne Firewall Control on Windows endpoints, rules from other firewall solutions on the endpoint will become inactive.
SentinelOne Firewall Control on Windows
In Windows Security Center, SentinelOne Firewall Control is registered in two Network Firewall categories:
- NET_FW_RULE_CATEGORY_FIREWALL,
- NET_FW_RULE_CATEGORY_BOOT
The SentinelOne EPP registers as Virus protection.
SentinelOne Firewall Control does not register in these categories:
- NET_FW_RULE_CATEGORY_STEAL
- NET_FW_RULE_CATEGORY_CONSEC
Windows Firewall can be registered in the other two categories.
Note: When you enable SentinelOneFirewall Control on Windows endpoints, rules from other firewall solutions on the endpoint will become inactive.
SentinelOne Firewall Control on Mac
In macOS SentinelOne is not registered as a firewall product. Firewall Control works in parallel to the macOS firewall, which can block unwanted Applications. If there is a conflict between the macOS firewall and the SentinelOne firewall, the SentinelOne firewall rules have priority.
Firewall Control Settings
In the Firewall Control settings, define the policy inheritance and turn Firewall Control on or off.
By default, Firewall Control is disabled at the Global level. When it is first enabled, all Sites and Groups inherit the Firewall Control policy from the Global policy.
By default, Agents have Firewall Control disabled, until they connect to a Site or Group with an enabled Firewall Control policy.
Note: When you enable SentinelOne Firewall Control on Windows endpoints, rules from other firewall solutions on the endpoint will become inactive.
To configure Firewall Control settings:
- In the Management Console, click Network.
- Select a Scope: A Site, a Group, or All Sites, for Global Admins.
- Click Firewall Control.
- Click the Settings icon.
- Click Enable Firewall Control, if it is not enabled.
- For a Site or Group: Use the toggle to turn the inheritance on or off.
- Optional: You can click Disable Firewall Control. This disables the feature for your current Scope and all Sites and groups that inherit Firewall Control settings from this Scope.
For a Site or Group, you must turn off inheritance before you can disable Firewall Control.
Existing rules remain in the policy but become inactive. When you enable Firewall Control again, the rules will become active with their latest Enabled or Disabled state.
Firewall Control Policy Inheritance:
- To make a Site inherit rules and settings from Global:
-
- Turn on Inherits rules and settings from Global (on by default).
-
- The Site uses the Global settings and the Global rules.
-
- You can add Site rules.
- To give a Site its own policy:
-
- Turn off Inherits rules and settings from Global.
-
- The Site uses the settings that you configure.
-
- The Site uses only Site rules.
- To make a Group inherit rules and settings from a Site that inherits from the Global settings:
-
- Turn on Inherits rules and settings from Global (on by default).
-
- The Group uses Global settings, and Global and Site rules.
-
- You can add Group rules.
- To make a Group inherit rules and settings from a Site that has its own policy:
-
- Turn on Inherits rules and settings from Site (on by default).
-
- The Group uses the Site settings and the Site rules.
-
- You can add Group rules.
- To give a Group its own policy:
-
- Turn off Inherits rules and settings from Site.
-
- The group uses the settings you configure.
-
- The Group uses only Group rules
See Firewall Control events in Activity and read the local log file, written in clear text, for Firewall Control events of an endpoint with Firewall Control enabled. Enable the logs for specific endpoints, one Agent at a time.
Note: Each Agent with Firewall Control Event Logging enabled keeps five log files, for a total of 100 MB maximum. The logs cycle older lines to maintain the size threshold.
Important: Before you begin, make sure the Group and Site of the Agent has Firewall Control enabled.
To enable Firewall Control logs:
- In Endpoint Details: click Actions > Configure Firewall Logging.
- In sentinelctl:
sentinelctl config -p agent.firewallLogging.reportLog -v true – Enables log write and read on the endpoint.
sentinelctl config -p agent.firewallLogging.reportMgmt -v true – Enables Firewall Control events on this endpoint to show in the Activity page.
- In Policy Override:
{
"firewallLogging": {
"reportLog": true,
"reportMgmt": true
}
}
To see Firewall Control in Activity:
- In the Management Console, click Activity.
- In the Operationsmenu, click Firewall control.
The Activity Log shows events such as: The management user name , the updated Firewall Control settings in group or site, and the Modified the settings parameterfrom value to value.
To read Firewall Control logs:
- On the Windows endpoint, run: cd C:\ProgramData\Sentinel\logs
- Find the logs with: visible
For example: SentinelOne_visible_0.log
Note: You can open the Firewall Control logs in the text editor of your choice.
You can also send Firewall Control events to your syslog server. Select activities in Settings > Notifications > Firewall Control.
Control – Event Logging
See Firewall Control events in Activity and read the local log file, written in clear text, for Firewall Control events of an endpoint with Firewall Control enabled. Enable the logs for specific endpoints, one Agent at a time.
Note: Each Agent with Firewall Control Event Logging enabled keeps five log files, for a total of 100 MB maximum. The logs cycle older lines to maintain the size threshold.
Important: Before you begin, make sure the Group and Site of the Agent has Firewall Control enabled.
To enable Firewall Control logs:
- In Endpoint Details: click Actions > Configure Firewall Logging.
- In sentinelctl:
sentinelctl config -p agent.firewallLogging.reportLog -v true – Enables log write and read on the endpoint.
sentinelctl config -p agent.firewallLogging.reportMgmt -v true – Enables Firewall Control events on this endpoint to show in the Activity page.
- In Policy Override:
{ "firewallLogging": { "reportLog": true, "reportMgmt": true } }
To see Firewall Control in Activity:
- In the Management Console, click Activity.
- In the Operations menu, click Firewall control.
The Activity Log shows events such as: The management user name updated Firewall Control settings in group or site. Modified the settings parameter parameter from value to value.
To read Firewall Control logs:
- On the Windows endpoint, run: cd C:\ProgramData\Sentinel\logs
- Find the logs with: visible.
For example: SentinelOne_visible_0.log
Note: You can open the Firewall Control logs in the text editor of your choice.
You can also send Firewall Control events to your syslog server. Select activities in Settings > Notifications > Firewall Control.
Firewall Control Rules
Firewall Control rules let you allow or block network traffic, based on the traffic identifiers reported by the operating system. There are different rules for Windows endpoints and for macOS endpoints. When the Management Server sends policy information to Agents, it includes these rules.
based on the Firewall Control policy. The Agent looks at the rules based on their order in the Firewall Control policy, from the top to the bottom. When the Agent finds a rule that matches the parameters of the traffic, that rule is applied. The Agent does not continue to the lower rules in the list. If the matched rule has the Block Action, the Agent blocks the traffic. If the matched rule has the Allow Action, the traffic can pass.
- The rules that apply to your current Scope show in Network > Firewall Control.
- Click Select filters to filter the rules by rule attributes. Select the attributes to filter for or use the free text search.
The Agent applies the rules in this order:
- Group rules from first to last.
- Site rules from first to last.
- Global rules from first to last.
New rules are added to the top of the relevant section of the Firewall Control policy.
To change the order of the rules:
You can change the order of rules within your Admin Scope.
- Global Admins can change the order of the Global, Site, and Group rules.
- Site Admins can change the order of Site rules and Group rules, for Sites and groups in their Scope.
- In the Management Console, click Network.
- Select a Scope.
- Click Firewall Control.
- Select Windowsor MacOS.
- Click Reorder rules.
- In the window that opens, you can change the order of the rules in these ways:
- Drag and drop rules.
Or - In the Ordercolumn, click the number of the rule and enter a new number.
- Drag and drop rules.
- Click Save.
Create rules for a specific Scope and OS to allow or block network traffic.
When you create a rule, it applies to the current Scope of the Network view.
- For network traffic to match a rule, all parameters of the rule must match the traffic.
- The default for each parameter is Any, which means that no restrictions are defined.
- You can create one cleanup rule, with the Action of Allowor Block and with no other parameters defined explicitly. Make this the default rule at the end of your rule list. Traffic that does not match other rules first will match this rule. If you do not have a clean-up rule to match all traffic, the default Firewall Control behavior is to allow traffic that is not explicitly blocked.
- For all other rules, you can leave all parameters as Any, except one parameter that you choose to define explicitly.
Firewall Rule Attributes
| Attribute | Description |
| Rule Name | A descriptive name of the rule. It must be a different name from other rules in the Scope. |
| Protocol | An IP protocol the rule applies to. All standard protocols are supported. Select one protocol from the list. Any – Protocol is not defined. |
| Application | An application the rule applies to, in a specific location on the endpoint. The rules only applies to the application if it is in the defined location. Enter the full path name, including the application. Any – Protocol is not defined. |
| Direction | Inbound – The rule applies to traffic that is received on an endpoint. Outbound – The rules apply to traffic that leaves an endpoint. Any – The rule applies to inbound and outbound traffic. Optional: Define the Local host. Optional: Define the Remote host. |
| Local host | Enter the local IP address or range of addresses for endpoints that the rule applies to. For Inbound traffic, the local host is the destination. For Outbound traffic, the local host is the source. IPv4 or IPv6. Any – Local host is not defined. Address – Enter an IP Address. CIDR – Enter an IP range with CIDR format. Range – Enter an IP Address range start and end. |
| Local port | The local port or range of ports that the rule applies to. Any – Local port is not defined. Single string – Enter a port number Range – Enter a port number range start and end. |
| Remote host | Define a remote host as the source for Inbound traffic or the destination for Outbound traffic. IPv4 or IPv6. Any – Remote host is not defined. Address – Enter an IP Address. CIDR – Enter an IP range in CIDR notation. Range – Enter an IP Address range start and end. |
| Remote port | The remote port or range of ports that the rule applies to. Any – Remote port is not defined. Single string – Enter a port number Range – Enter a port number range start and end. |
| Action | Define if Agents Block or Allow IP packets that match the rule parameters. |
| Status | State of the rule: Enabled – Active if Firewall Control is enabled. Disabled – Not active. |
To create a rule:
- In the Management Console, click Network.
- Select a Scope.
- Click Firewall Control.
- Click New rule.
- In the window that opens, enter the details of the rule:
- name– Enter a descriptive name for the rule. The rule name must be different from other rule names in the Scope.
- OS Type– Select the OS for the rule: Windows or macOS.
- Tag– Optional: Enter tags that you can search for in the rule base.
- Scope– This is taken automatically from the current Scope of the Network view.
If you want to give the rule a different Scope, click Cancel and select a different Scope in Network. Or you can move the rule to a different Scope later.
- Action– Select Allow or Block to define if Agents block or allow network traffic that matches the rule parameters.
- Click Continue.
- In the window that opens, define the parameters of the rule.
- Click +to expand each parameter.
- Click Closeto minimize a parameter.
- Press Tabto move to the next parameter.
Note: Parameters that are not explicitly defined are set to the default value, which is Any.
- Enable rule immediately after savingis selected by default. This means that the rule becomes active immediately.
To create the rule in Disabled state, deselect this.
- Click Save rule.
To enable or disable a rule:
If a rule is Disabled, it is never active but shows in the policy with the Disabled Status.
If a rule is Enabled, it is active if Firewall Control is enabled. If Firewall Control is disabled for the rule's Scope, the rule keeps the Status Enabled but is not active. It will become active automatically if Firewall Control is enabled.
- In Network > Firewall Control:
- Select a rule and click Actions.
or
- Click on a rule.
In the Rule Details window, click Options.
- Select Enableor Disable.
To edit a rule:
- In Network > Firewall Control, click on a rule.
- In the Rule Detailswindow, click Edit.
- Make changes in the Rule Detailsor click Continue to open the next page of the Rule Details and change the rule parameters.
- Click Save changes.
You can copy a Firewall Control rule to use it in multiple Sites or groups. For example:
- You have a rule for Site A: Copy it to use it in all of Site B, or copy it to one Group of Site B.
- You have a rule in Group X, which is in Site A: Copy it to two other Groups in Site A.
You can move Firewall Control rules to change their Scope. For example:
- You made a Group rule for one Group and want to change it to be a Site rule.
- You made a rule for Site A and want it to apply to Site B instead.
To move Firewall Control rules between Sites or Groups:
- In the Management Console, click Network.
- Select a Scope.
- Click Firewall Control.
- Select a rule or multiple rules.
- Click Actionsand select Move.
- Select the destination for the rule.
- Click Move Rule.
To copy Firewall Control rules:
- In the Management Console, click Network.
- Select a Scope.
Click Firewall Control
- Select a rule or multiple rules.
- Click Actionsand select Copy.
- In the Copy Rules window:
- In the SITEScolumn, select a Site.
In the GROUPS column, select All Groups, or one or more specific
- Click Done.
You can export Firewall Control rules from one Site and import them to another Site or a Group. You can also export rules from one SentinelOne deployment and import them into a different SentinelOne deployment.
When you import rules, all rules are imported to the current Scope. For example, if you are in a Site that inherits the Global Firewall Control, policy, and you export the Firewall Control rules and import them to a different Site: All Global and Site rules become Site rules in the Site to which you imported.
To export Firewall Control rules from the Management Console:
You can export rules to a .json file. All rules for your current Scope are exported. This includes Global rules that might apply to the Scope, even if you do not have permissions to edit them.
- In the Management Console, click Network.
- Select a Scope.
- Click Firewall Control.
- Select Windowsor MacOS.
- Click the Export rules icon.
exported rules download in a .json file to the default Downloads folder of the computer from which you clicked Export rules.
To import Firewall Control rules:
- In the Management Console, click Network.
- Select a Scope.
- Click Firewall Control.
- Select Windowsor MacOS.
- Click the Import rules icon.
- In the Import Ruleswindow, click Choose file to upload.
- Browse to the file location and click Open.
- In the Import Ruleswindow, click Approve.
