Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products

How to Use VMware Carbon Black Cloud Host-Based Firewall

Summary: VMware Carbon Black Host-Based Firewall is used by configuring firewall rules.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Instructions


Affected Products:

  • VMware Carbon Black Cloud Standard
  • VMware Carbon Black Cloud Advanced
  • VMware Carbon Black Cloud Enterprise

Affected Versions:

  • Windows Sensor 3.9 or higher

Affected Operating Systems:

  • Windows

Note: For more information about VMware Carbon Black Cloud versions, reference What are the Differences Between VMware Carbon Black Cloud Versions.

Host-Based Firewall Rules

A firewall rule is composed of an action and an object. Available actions are:

  • Allow: Allows the network traffic
  • Block: Blocks the network traffic
  • Block and Alert: Blocks the network traffic and sends an alert to the Alerts page

Firewall rules are based on evaluation of the following types of objects:

  • Local (client computer)
  • Remote (computer that communicates with the client computer)
Note: The local host is always the sensor-installed client computer. The remote host is any computer or device with which it communicates. This expression of the host relationship is independent of the direction of traffic.
  • IP address and subnet ranges
  • Port or port ranges
  • Protocol (TCP, UDP, ICMP)
  • Direction (inbound and outbound)
  • Application, determined by file path

Firewall rules can be combined into what is called a firewall rule group. A firewall rule group is a logical set of firewall rules that simplifies the management of multiple individual rules into a single group that have a shared purpose (for example, multiple rules to control access to FTP servers).

Rule groups and rules are defined in policies, and policies are assigned to assets.

Rule Precedence

When creating and applying rules, keep in mind the following order of precedence:

  • Bypass rules take precedence over all other rules. Because of this, Host-based Firewall rules have lower precedence than Bypass rules.
  • Host-based Firewall rules have higher precedence than Permissions rules that are set to Allow or Allow & Log.
Note: A process-level permission Bypass rule does not only bypass the process specified by the rule, but also bypasses any of its Child Processes.

Existing sensor conditions can impact the enforcement of rules. For example, the sensor can be in bypass mode or quarantine, or applications can be blocked. Carbon Black Cloud Host-based Firewall maintains the intended action of the rule as specified by the user, although the rule can take a different actual action when it is enforced based on the sensor condition.

For example:

Sensor Mode Intended Host-Based Firewall Action Intended Permission or Blocking and Isolation Rule Actual Action Summary
Quarantine Any Any Block Quarantine block rules override Host-based Firewall rules and permission.
Bypass Any Any Allow Because the sensor is in bypass mode, the Host-based Firewall rule is ineffective.
Active Any Process Level Bypass Allow Bypassed processes and their descendants are not blocked by Host-based Firewall rules.
Active Block Allow, Allow & Log Block Host-based Firewall rules take precedence over non-bypass permission rules.
Active Allow Block Block Host-based Firewall allowing a connection does not prevent a Communicates over the Network Blocking and Isolation rule from being enforced.

Using Carbon Black Cloud Host-Based Firewall

This section provides a high-level overview of how to create and run firewall rules.

  1. Select a policy to which to add firewall rules.
  2. Set the default rule (Allow all or Block all).
  3. Create a rule group and populate it with firewall rules.
  4. View, create, and modify rule groups and rules as necessary.
  5. Switch Host-based Firewall to Enabled on the Sensor tab.
  6. Test the rules.
Note: You can only test a rule when its Status is set to Disabled.
  1. Review the rules outcome. Test rule data displays on the Investigate page.
  2. Modify rules as necessary and retest until the rules perform as expected.
  3. Stop testing rules that are verified to perform as expected and set their Status to Enabled.
  4. If you have disabled it during modifications, switch Host-based Firewall to Enabled on the Sensor tab.
  5. View firewall-related events and alerts on the Investigate and Alerts pages, respectively.
  6. Continue to modify rules as necessary. Association of ordered (ranked) rule groups to security policies; rule groups can be reused across security policies.
    • Rules are evaluated in order of user-defined precedence.
    • Ability to test rules before enforcement.
    • Count of behaviors blocked by Host-based Firewall policy.
    • Visibility into security posture of assets through the Alerts and Investigate pages in the Carbon Black Cloud console.
Note: The Carbon Black Cloud Host-based Firewall add-on requires the Windows sensor v3.9 and higher.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

VMware Carbon Black
Article Properties
Article Number: 000214381
Article Type: How To
Last Modified: 31 May 2023
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.