Protocols (Regular Profile) : Managing Basic IP Firewall : Firewall Management Tasks : Defining firewall rules
  
Defining firewall rules
When defining firewall rules, consider the following:
When the Allow and Deny rules are applied in conjunction, all Allow rules override the Deny rules for both incoming and outgoing traffic.
Protocol permissions take precedence over firewall rules, except for rules with the Override Protocols Permissions option enabled, which block access regardless of those permissions.
 
Important: Rules with the Override Protocols Permissions option enabled do not block access allowed by Protocols White List rules for the protocols Any and/or SSL. They also do not block access via protocols not recognized in NetworkLock, provided that access is allowed by other firewall rules.
Some applications, for example, Windows built-in applications (such as Remote Desktop) use system processes to transfer data. To block such applications, you must create and apply a firewall rule to the account that is used by the application’s data transfer process.
When users try to establish a connection to which they are denied access, they receive a Basic IP Firewall blocked message, if Basic IP Firewall blocked message is enabled in Service Options. For details on this message, see the Basic IP Firewall blocked message parameter description in Service Options.
The communication between DeviceLock Service and DeviceLock Enterprise Server as well as between DeviceLock Service and DeviceLock Management Console is always allowed, regardless of firewall settings.
The administrator can enable alerts to be sent upon triggering a particular firewall rule. Alerts are enabled when defining the rule.
DeviceLock sends alerts on the basis of alert settings. These settings specify where and how the alerts should be sent. Before enabling alerts for a firewall rule, DeviceLock Service alert settings must be configured (see Alerts).
To define a firewall rule
1. If using DeviceLock Management Console, do the following:
a) Open DeviceLock Management Console and connect it to the computer running DeviceLock Service.
b) In the console tree, expand DeviceLock Service.
If using DeviceLock Service Settings Editor, do the following:
a) Open DeviceLock Service Settings Editor.
b) In the console tree, expand DeviceLock Service.
If using DeviceLock Group Policy Manager, do the following:
a) Open Group Policy Object Editor.
b) In the console tree, expand Computer Configuration, and then expand DeviceLock.
2. Expand Protocols.
3. Under Protocols, do one of the following:
Right-click Basic IP Firewall, and then click Manage.
- OR -
Select Basic IP Firewall, and then click Manage on the toolbar.
The Basic IP Firewall dialog box appears.
4. In the left pane of the Basic IP Firewall dialog box, under Users, click Add.
The Select Users or Groups dialog box appears.
5. In the Select Users or Groups dialog box, in the Enter the object names to select box, type the names of the users or groups for which you want to define the firewall rule, and then click OK.
The users and groups that you added are displayed under Users in the left pane of the Basic IP Firewall dialog box.
To delete a user or group, in the left pane of the Basic IP Firewall dialog box, under Users, select the user or group, and then click Delete.
6. In the left pane of the Basic IP Firewall dialog box, under Users, select the user or group.
You can select multiple users or groups by holding down the SHIFT key or the CTRL key while clicking them.
7. In the right pane of the Basic IP Firewall dialog box, under Rules, click Add.
The Add Rule dialog box appears.
8. In the Add Rule dialog box, specify the firewall rule parameters:
To specify the rule name, in the Name box, type a name.
To block access to the hosts specified by the Hosts setting, select the Override Protocols Permissions check box. For more information, see the Override Protocols Permissions parameter description.
To specify the protocol, under Protocol, select the check box next to the protocol of your choice. For more information, see the Protocol parameter description.
To specify what actions the firewall takes for all connections that match the rule’s criteria, under Type, click either of the following options: Allow or Deny. For more information, see the Type parameter description.
To specify the direction of traffic to which the rule applies, under Direction, select the appropriate check box. For more information, see the Direction parameter description.
To specify additional actions to be performed when the rule triggers, under If this rule triggers, select the appropriate check box. For more information, see the If this rule triggers parameter description.
To specify the remote hosts to which the rule applies, in the Hosts box, type host names or IP addresses separated by a comma or semicolon. For more information, see the Hosts parameter description.
To specify the ports on remote hosts to which the rule applies, in the Ports box, type port numbers separated by a comma or semicolon. For more information, see the Ports parameter description.
9. Click OK.
The rule you created is displayed under Rules in the right pane of the Basic IP Firewall dialog box.
10. Click OK or Apply.
The users or groups to which the firewall rule applies are displayed under Basic IP Firewall in the console tree.
When you select a user or group to which a firewall rule applies in the console tree, in the details pane you can view detailed information regarding this rule (see Firewall Rules for details).