In order to have a good experience using the HEIMDAL™ Security services and the HEIMDAL™ Firewall Management module, we recommend you take a look at the following information:
The Firewall Management module allows you to control the Windows Firewall from the Heimdal Management Portal.
Enable Firewall Management - this option allows you to enable the management of the Windows Firewall. If this option is turned OFF, the Windows Firewall will remain ON. If the Windows Firewall is disabled and this option is enabled, Heimdal will turn ON the Windows Firewall as well.
Block RDP port on brute force detection - This option will automatically block RDP port 3389 on the detection of brute force attempts. Blocked machines can be viewed and unblocked from Active Clients View.
In the Active Clients view, you have the option to unblock the RDP port, if blocked.
If the default RDP port is changed, our brute force detection will no longer be active.
Use automatic rules - if this option is enabled, you can select the profile you want to enabled and the Incoming/ Outgoing connections. You can select the Incoming/ Outgoing connections if you enable the corresponding profile.
Allow isolation - when this option is enabled, the user is able to isolate an endpoint (or not). If the endpoint is isolated, all its external connections are rerouted through the Heimdal Security systems.
Once the option is enabled the machine can be isolated from the Active Client view, by selecting the machine you want to isolate and press the Isolate button.
Allow ICMP Echo Requests - this option allows you to create a firewall rule which allows ping requests in the network.
! If the Firewall Management is enabled from the Group Policy page the clients can't ping the machines in their network with Thor Installed.
Important! Steps to install the Agent:
- In the “Windows Defender Firewall with Advanced Security” there should be a new Inbound Rule with the name “Heimdal-Ping-ICMPv4” ( see below picture).
- You should be able to ping the machine with the Agent installed.
Add New Rule - this option allows you to add/ edit/ remove rules. The actions will take action after you click Save / Update policy. The name of the rule needs to be unique. Each rule will have added to their name the protocol on which it was created. Example: In the dashboard, we add a rule “Block SQL server port”, on the client machine the rule will have the name “Block SQL server port-TCP” for TCP protocol and “Block SQL server port-UDP” for UDP protocol. This was needed to make sure the naming is clear since a rule can’t contain both protocols in case of BOTH options from the dashboard adds rule.
You can also unisolate active clients (if it was isolated before). If the Agent hasn’t processed the isolate / unisolate the client, we can cancel the action.
On the machine, when the isolated message was received, the firewall will disable all existing rules that don’t contain the name “Heimdal” and will create allow rules for the following Heimdal exes: clienthost, antivirus, firewall, Heimdal™ Email Security, Heimdal™ Email Security Monitor. Having those allowed, we will have added the main rule that will block all ports for either inbound or outbound, and the rule is called “HeimdalIsolate”. Right now only those apps will be available to communicate through the firewall.
What happens if a client has the RDP port blocked by us, but at the same time has a rule set in our firewall for a certain application to run on the RDP port:
When we have the RDP rule we block all profiles on the TCP protocol. The important thing is that the Block RDP function will always override the Allow rules, so no one should overwrite this rule (including rules previously set by allow).
As mentioned above, you also have the Cancel Isolate, Unisolate, and Cancel Unisolate options that can be found in the Active Clients View, by clicking on the drop-down menu, as shown below:
Information about the Firewall can be found in the left menu from the dashboard if you click on Heimdal™ Next-Gen Antivirus, Firewall & MDM
Here you will have the Firewall View, which includes the Firewall Rules and Firewall Alerts:
- Firewall Rules
In the Firewall Rules View, you will be able to see all the new rules that Windows creates in the Windows Firewall (this is event is logged in the Event Viewer Logs, under Microsoft -> Windows -> Windows Firewall with Advanced Security -> Firewall -> event ID 2004). After we find an app that has a new rule, we send it to the Heimdal Dashboard to be displayed in the Next-Gen Antivirus, Firewall & MDM view -> Firewall Rules (if there is no other rule that is matched in the Group Policy under Firewall).
The rules created in the Firewall Management will not be displayed in the Firewall Rules view within the Next-Gen Antivirus, Firewall & MDM view. These custom rules will be displayed ONLY in the specific Group Policy, under the Firewall Management sub-tab where it was created.
- Firewall Alerts
In the Firewall Alerts View, you will be able to see all the unwanted connections.
If an invalid password event is detected and it occurrences more than 5 times we wait 5 minutes (time in which we will wait to see if we have more invalid tries). If we don't have any invalid passwords in the next 5 minutes, the Agent will send to Dashboard the log containing the 5 invalid attempts. If we have one or more invalid attempts in the 5 minutes we have to wait, the delay will start again (an action that will be repeated for every attempt if we don't have more than 20 minutes before the first and the last occurrence of invalid password). After the Agent sends a notification to the Dashboard, we will reset the timer and the list of invalid attempts.