This is the module that allows you to control the Windows Firewall from the Heimdal Management Portal.
Enable Firewall Management - this option allows you to enable the management of the Windows Firewall. If this option is turn OFF Windows Firewall will remain ON. We do not enable or disable the Windows Firewall.
Use automatic rules - is this option is enabled, you can select the profile you want to enabled and the Incoming/ Outgoing connections. You can select the Incoming/ Outgoing connections if you enable the corresponding profile.
Allow isolation - when this option is enabled, the user is able to isolate an endpoint (or not). If the endpoint is isolated, all its external connections are rerouted through the Heimdal Security systems.
Once the option is enabled the machine can be isolated from the active client view, by selecting the machine you want to isolate and press the ISOLATE button.
Block RDP port on brute force detection - by enabling this option If an audit breach is detected the RDP port (3389) is blocked for both TCP and UDP. In the active clients view, an icon will be displayed in the status column if the RDP port is blocked the workstation is not isolated. Selecting one or more workstations will display the unblock RDP port which will unblock the RDP port for those clients.
Add new rule - this option allow you to add/ edit/ remove rules. The actions will take action after you click Save / Update policy. The name of the rule needs to be unique. Each rule will have added to their name the protocol on which it was created. Example: In the dashboard, we add a rule “Block sql server port”, on the client machine the rule will have the name “Block sql server port-TCP” for TCP protocol and “Block sql server port-UDP” for UDP protocol. This was needed to make sure the naming is clear since a rule can’t contain both protocols in case of BOTH options from the dashboard adds rule.
You can also unisolate active clients (if it was isolated before). If the Agent hasn’t processed the isolate / unisolate the client, we can cancel the action.
On the machine, when the isolated message was received, the firewall will disable all existing rules that don’t contain the name “Heimdal” and will create allow rules for the following Heimdal exes: clienthost, antivirus, firewall, mailsentry, mailsentrymonitor. Having those allowed, we will have added the main rule that will block all ports for either inbound or outbound and the rule is called “HeimdalIsolate”. Right now only those apps will be available to communicate through the firewall.
Information about the Firewall can be found in the left menu from the dashboard if you click on Next-gen Antivirus & Firewall.
Here you will have two views Firewall Collection and Firewall Logs.
In this view, you will be able to see all the new rules that Windows creates in the Firewall. After we find an app that has a new rule, we send it to the dashboard it if has no rule set in the group policy.
In the Firewall Logs view, you will be able to see all the unwanted connections.
If an invalid password event is detected and it occurrences more than 5 times we wait 5 minutes (time in which we will wait to see if we have more invalid tries). If we don't have any invalid password in the next 5 minutes, the Agent will send to Dashboard the log containing the 5 invalid attempts. If we have one or more invalid attempts in the 5 minutes we have to wait, the delay will start again (an action that will be repeated for every attempt if we don't have more than 20 minutes before the first and the last occurrence of invalid password). After the Agent sends a notification to the Dashboard, we will reset the timer and the list of the invalid attempts.
Remote IPS (list of the ip’s that tried to log into computer)