Working with Firewall Exceptions

The Firewall exception list contains entries you can configure to allow or block different kinds of network traffic based on client port numbers and IP addresses. During an outbreak, the Security Server applies the exceptions to the Trend Micro policies that are automatically deployed to protect your network.

For example, during an outbreak, you may choose to block all client traffic, including the HTTP port (port 80). However, if you still want to grant the blocked clients access to the Internet, you can add the web proxy server to the exception list.

  1. Go to Devices.
  2. Select a desktop or server group.
  3. Click Configure Policy.

    The Configure Policy: <group name> screen appears.

  4. Click Firewall > In Office or Firewall > Out of Office.

    A new screen appears.

  5. Select Enable Firewall.
  6. Select Advanced Mode.
  7. To add an exception:
    1. Click Add.

      A new screen appears.

    2. Type the name for the exception.
    3. Next to Action, click one of the following:
      • Allow all network traffic

      • Deny all network traffic

    4. Next to Direction, click Inbound or Outbound to select the type of traffic to which to apply the exception settings.
    5. Select the type of network protocol from the Protocol list:
      • All

      • TCP/UDP (default)

      • TCP

      • UDP

      • ICMP

      • ICMPv6

    6. Click one of the following to specify client ports:
      • All ports (default)

      • Range: type a range of ports

      • Specified ports: specify individual ports. Use a comma "," to separate port numbers.

    7. Under Machines, select client IP addresses to include in the exception. For example, if you select Deny all network traffic (Inbound and Outbound) and type the IP address for a client on the network, then any client that has this exception in its policy will not be able to send or receive data to or from that IP address. Click one of the following:
      • All IP addresses (default)

      • Single IP: Type an IPv4 or IPv6 address, or a host name. To resolve the client host name to an IP address, click Resolve.

      • IP range (for IPv4 or IPv6): Type either two IPv4 or two IPv6 addresses in the From and To fields. It is not possible to type an IPv6 address in one field and an IPv4 address in the other field.

      • IP range (for IPv6): Type an IPv6 address prefix and length.

    8. Click Save.
  8. To edit an exception, click Edit and then modify the settings in the screen that displays.
  9. To move an exception up or down the list, select the exception and then click Move Up or Move Down until it is in your preferred position.
  10. To remove an exception, select the exception and then click Remove.