Control Windows Firewall

When you use the Enable automatic rule settings on plug-in assignment option.
Windows Firewall outbound rule is set with the permission object information of the enforcement policy to which the node belongs.
Additional Windows Firewall restrictions can be configured in the Agent Plugin settings.

Configure Network Control Options

  1. Notification : Prompts the user for pop-up when setting up automatic rules.

  2. Message : Enter the contents of the pop-up message when setting up the automatic rule.

  3. Custom Rule : Set Windows Firewall rules yourself.

  4. Using FailSafe : Stop the plug-in if it cannot connect to the Policy Server.

Add Agent Action to a Policy

  1. Go to Policy in the top panel.

  2. Go to Policy > Node Policy > Agent Action in the left Policy panel.

  3. Find and click Control Windows Firewall in the Agent Action Window.

  4. Add Conditions and Agent Actions.

  5. Go to Policy > Node Policy in the left Policy panel.

  6. Find and Click the Node policy to configure the network blocking policy.

  7. Find Agent Action section. Click Assign.

  8. Locate Control Windows Firewall and move to Selected column.

  9. Click Add.

  10. Click Apply in the top right. Click Close.

Configure Network Blocking Policies in Enforcement Policy

Step 1. Create Agent Action For Enforcement Policy

  1. Go to Policy in the top panel.

  2. Go to Enforcement Policy > Agent Action in the left panel.

  3. Go to Tasks > Create.

Under General

  1. For ID, type unique name.

  2. For Description.(Brief description of what this Node Group is for).

  3. Find Agent Action section and configure the following options:

    • OS Type (Windows)

    • Condition (Set the operating conditions)

    • Plugin (Network Control)

    • Settings (Set user notifications and custom rules)

    • Language

    • OS Edition

  4. Click Create

  5. Click Apply in top right corner.

Note

Using the agent action in enforcement policy is an optional usage of the agent action, and not actually required.

Step 2. Create Enforcement Policy

  1. Go to Policy in the top panel.

  2. Go to Policy > Enforcement Policy in the left Policy panel.

  3. Click Tasks > Create.

  4. Action tab click Next

  5. General tab create an ID and enter brief Description to identify what the Policy does(Prioity stays as default. Status should be Enabled) Click Next.

  6. Node Group tab select the Node Group that was created, move to Selected section and Click Next.

  7. Permission tab select Available Permission and move to Selected and click Next

  8. Redirection Action tab is optiuonal to set CWP and Switch Block options. Click Next.

  9. Agent Action tab is optional to add Agent Action. Click Finish.

Internet Kill Switch

This feature automatically blocks general internet traffic on the endpoint when the VPN tunnel is abnormal or disconnected, preventing data/IP leaks.

  • Ensures forced VPN connection when used with the Always-On option of the ZTNA Connection Manager action.

For instructions on using the ZTNA Connection Manager, refer to the ZTNA-Client document.

Configuration Method

Assign the minimum policy required to connect to the VPN. When the Internet Kill Switch setting is On, all internet traffic is blocked, and it operates in a WhiteList manner.

  1. Go to Policy in the top menu.

  2. Go to Policy > Node Policy in the left policy menu.

  3. Click the Node Policy to which you want to apply the Internet Kill Switch.

  4. In the Agent Action section, assign the Control Windows Firewall node action.

  5. Enable the Internet Kill Switch option.

When using ZTNA-Client, assign the minimum policy as follows.

Direction

Program

Local IP

Remote IP

Protocol

Outbound

Any

Any

ZTNA Gateway IP or Domain

TCP, Local Port: Any, Remote Port: 1194