Procedure

1. Go to Agents → Global Agent Settings.
2. On the Security Settings tab, go to the Firewall Settings section and configure the following:

   Setting	Description
   Enable the Apex One Firewall	You must enable the Apex One Firewall on all Security Agents before applying policies and profiles.
   Send firewall logs to the server	You can grant certain Security Agents the privilege to send firewall logs to the Trend Micro Apex One server. Configure the log sending schedule in this section. Only agents with the privilege to send firewall logs use the schedule. See Firewall Privileges for information on firewall privileges available to selected agents.
   Update the Apex One firewall driver only after a system restart	Enable the Security Agent to update the Common Firewall Driver only after the Security Agent endpoint restarts. Enable this option to avoid potential agent endpoint disruptions (such as temporary disconnection from the network) when the Common Firewall Driver updates during agent upgrade.
   Send firewall log information to the Apex One server hourly to determine the possibility of a firewall outbreak	When you enable this option, Security Agents sends firewall log counts once every hour to the Trend Micro Apex One server. For details about firewall logs, see Firewall Logs. Trend Micro Apex One uses log counts and the firewall violation outbreak criteria to determine the possibility of a firewall violation outbreak. Trend Micro Apex One sends email notifications to Trend Micro Apex One administrators in the event of an outbreak.

3. On the System tab, go to the Certified Safe Software Settings section and select Enable the Certified Safe Software Service for Behavior Monitoring, Firewall, and antivirus scans.
   The Certified Safe Software Service queries Trend Micro datacenters to verify the safety of a program detected by Malware Behavior Blocking, Event Monitoring, Firewall, or antivirus scans. Enable Certified Safe Software Service to reduce the likelihood of false positive detections.

   Note Ensure that Security Agents have the correct proxy settings (for details, see Security Agent Proxy Settings) before enabling Certified Safe Software Service. Incorrect proxy settings, along with an intermittent Internet connection, can result in delays or failure to receive a response from Trend Micro datacenters, causing monitored programs to appear unresponsive. In addition, pure IPv6 Security Agents cannot query directly from Trend Micro datacenters. A dual-stack proxy server that can convert IP addresses, such as DeleGate, is required to allow the Security Agents to connect to the Trend Micro datacenters.

4. Click Save.