.. _windows-firewall: Control Windows Firewall ================================== | When you use the **Enable automatic rule settings on plug-in assignment option.** | **Windows Firewall outbound rule is set** with the **permission object information of the enforcement policy** to which the node belongs. | Additional Windows Firewall restrictions can be configured in the Agent Plugin settings. Configure Network Control Options --------------------------------- #. **Notification** : Prompts the user for pop-up when setting up automatic rules. #. **Message** : Enter the contents of the pop-up message when setting up the automatic rule. #. **Custom Rule** : Set Windows Firewall rules yourself. #. **Using FailSafe** : Stop the plug-in if it cannot connect to the Policy Server. Add Agent Action to a Policy ---------------------------- #. Go to **Policy** in the top panel. #. Go to **Policy > Node Policy > Agent Action** in the left Policy panel. #. Find and click **Control Windows Firewall** in the Agent Action Window. #. Add **Conditions** and **Agent Actions**. #. Go to **Policy > Node Policy** in the left Policy panel. #. Find and Click the **Node policy** to configure the network blocking policy. #. Find **Agent Action** section. Click **Assign**. #. Locate **Control Windows Firewall** and move to **Selected** column. #. Click **Add**. #. Click **Apply** in the top right. Click Close. Configure Network Blocking Policies in Enforcement Policy --------------------------------------------------------- **Step 1. Create Agent Action For Enforcement Policy** #. Go to **Policy** in the top panel. #. Go to **Enforcement Policy > Agent Action** in the left panel. #. Go to **Tasks > Create**. | Under **General** #. For **ID**, type unique name. #. For **Description**.(*Brief description of what this Node Group is for*). #. Find **Agent Action** section and configure the following options: - **OS Type** (*Windows*) - **Condition** (*Set the operating conditions*) - **Plugin** (*Network Control*) - **Settings** (*Set user notifications and custom rules*) - **Language** - **OS Edition** #. Click **Create** #. Click **Apply** in top right corner. .. note:: Using the agent action in enforcement policy is an optional usage of the agent action, and not actually required. **Step 2. Create Enforcement Policy** #. Go to **Policy** in the top panel. #. Go to **Policy > Enforcement Policy** in the left Policy panel. #. Click **Tasks > Create**. #. **Action** tab click **Next** #. **General** tab create an **ID** and enter brief **Description** to identify what the Policy does(*Prioity stays as default. Status should be Enabled*) Click **Next**. #. **Node Group** tab select the **Node Group** that was created, move to **Selected** section and Click **Next**. #. **Permission** tab select **Available Permission** and move to **Selected** and click **Next** #. **Redirection Action** tab is optiuonal to set **CWP** and **Switch Block options**. Click **Next**. #. **Agent Action** tab is **optional** to add **Agent Action**. Click **Finish**. Internet Kill Switch --------------------- This feature automatically blocks general internet traffic on the endpoint when the VPN tunnel is abnormal or disconnected, preventing data/IP leaks. - Ensures forced VPN connection when used with the Always-On option of the ZTNA Connection Manager action. For instructions on using the ZTNA Connection Manager, refer to the :doc:`../system/ztna_client` document. Configuration Method ~~~~~~~~~~~~~~~~~~~~ Assign the minimum policy required to connect to the VPN. When the Internet Kill Switch setting is On, all internet traffic is blocked, and it operates in a WhiteList manner. 1. Go to **Policy** in the top menu. 2. Go to **Policy > Node Policy** in the left policy menu. 3. Click the Node Policy to which you want to apply the Internet Kill Switch. 4. In the **Agent Action** section, assign the **Control Windows Firewall** node action. 5. Enable the **Internet Kill Switch** option. When using ZTNA-Client, assign the minimum policy as follows. .. list-table:: :header-rows: 1 :widths: 7 7 7 16 20 * - Direction - Program - Local IP - Remote IP - Protocol * - Outbound - Any - Any - ZTNA Gateway IP or Domain - TCP, Local Port: Any, Remote Port: 1194