fwpolext
The firewall exception template contains policy exceptions that you can configure to allow or block different kinds of network traffic based on the client computer's port number(s) and IP address(es). After creating a policy exception, edit the policies to which the policy exception applies.
Decide which type of policy exception you want to use. There are two types:
Restrictive
Blocks only specified types of network traffic and applies to policies that allow all network traffic. An example use of a restrictive policy exception is to block client ports vulnerable to attack, such as ports that Trojans often use.
Permissive
Allows only specified types of network traffic and applies to policies that block all network traffic. For example, you may want to permit clients to access only the OfficeScan server and a web server. To do this, allow traffic from the trusted port (the port used to communicate with the OfficeScan server) and the port the client uses for HTTP communication.
Client listening port: Networked Computers > Client Management > Status. The port number is under Basic Information.
Server listening port: Administration > Connection Settings. The port number is under Connection Settings for Networked Computers.
OfficeScan comes with a set of default firewall policy exceptions, which you can modify or delete.
|
Default Firewall Policy Exceptions |
|
Exception Name |
Action |
Protocol |
Port |
Direction |
|
DNS |
Allow |
TCP/UDP |
53 |
Incoming and outgoing |
|
NetBIOS |
Allow |
TCP/UDP |
137, 138, 139, 445 |
Incoming and outgoing |
|
HTTPS |
Allow |
TCP |
443 |
Incoming and outgoing |
|
HTTP |
Allow |
TCP |
80 |
Incoming and outgoing |
|
Telnet |
Allow |
TCP |
23 |
Incoming and outgoing |
|
SMTP |
Allow |
TCP |
25 |
Incoming and outgoing |
|
FTP |
Allow |
TCP |
21 |
Incoming and outgoing |
|
POP3 |
Allow |
TCP |
110 |
Incoming and outgoing |
|
LDAP |
Allow |
TCP/UDP |
389 |
Incoming and outgoing |
Default exceptions apply to all clients. If you want a default exception to apply only to certain clients, edit the exception and specify the IP addresses of the clients.
The LDAP exception is not available if you upgrade from a previous OfficeScan version. Manually add this exception if you do not see it on the exception list.
To add a policy exception:
Networked Computers > Firewall > Policies
Click Edit Exception Template.
Click Add.
Type a name for the policy exception.
Select the type of application. You can select all applications, or specify application path or registry keys.
Verify the name and full paths entered. Application exception does not support wildcards.
Select the action OfficeScan will perform on network traffic (block or allow traffic that meets the exception criteria) and the traffic direction (inbound or outbound network traffic on the client computer).
Select the type of network protocol: TCP, UDP, ICMP, or ICMPv6.
Specify ports on the client computer on which to perform the action.
Select client computer IP addresses to include in the exception. For example, if you chose to deny all network traffic (inbound and outbound) and type the IP address for a single computer on the network, then any client that has this exception in its policy will not be able to send or receive data to or from that IP address.
Choose from the following options:
All IP addresses: Includes all IP addresses
Single IP address: Type an IPv4 or IPv6 address, or a host name.
Range (for IPv4 or IPv6): Type an IPv4 or IPv6 address range.
Range (for IPv6): Type an IPv6 address prefix and length.
Subnet mask: Type an IPv4 address and its subnet mask.
Click Save.
To edit a policy exception:
Networked Computers > Firewall > Policies
Click Edit Exception Template.
Click a policy exception.
Modify the following:
Policy exception name
Application type, name, or path
Action OfficeScan will perform on network traffic and the traffic direction
Type of network protocol
Port numbers for the policy exception
Client computer IP addresses
Click Save.
To delete an entry:
Networked Computers > Firewall > Policies
Click Edit Exception Template.
Select the check box(es) next to the exception(s) to delete.
Click Delete.
To change the order of exceptions in the list:
Networked Computers > Firewall > Policies
Click Edit Exception Template.
Select the check box next to the exception to move.
Click an arrow to move the exception up or down the list. The ID number of the exception changes to reflect the new position.
To save the exception list settings:
Networked Computers > Firewall > Policies
Click Edit Exception Template.
Click one of the following save options:
Save Template Changes: Saves the exception template with the current policy exceptions and settings. This option only applies the template to policies created in the future, not existing policies.
Save and Apply to Existing Policies: Saves the exception template with the current policy exceptions and settings. This option applies the template to existing and future policies.
See also: