Skip to main content

Firewall Profile

The Firewall Profile allows administrators to configure and effortlessly deploy native Firewall profiles onto Windows desktop devices. With the Firewall Profile feature, administrators gain the power to define specific firewall settings, such as inbound and outbound rules, port configurations, and application permissions.

To configure Firewall policy on the Windows desktop devices, follow these steps:

  1. On the SureMDM Web Console, navigate to Profiles > Windows > Add > Firewall Profile > Configure.

  2. Enter a Profile Name.

  3. Configure the settings under the following options and click Save.

Global Settings:

  • File Transfer Protocol: Blocks stateful File Transfer Protocol (FTP).

  • Security association idle time before deletion: Security associations are deleted after network traffic is not seen for this number of seconds. (300-3600).

  • Pre-Shared Key Encoding: Encode pre-shared keys using UTF-8.

  • IPsec Exemptions: Configure specific traffic to be exempted from IPsec, No exemptions when not set.

  • Certificate Revocation List Verification: Set a value for how certificate revocation list (CRL) verification is enforced.

  • Opportunistically Match Authentication Set Per Key Module: Set keying modules to ignore the entire authentication set if they do not support all authentication suites in that set. If enabled, keying modules will ignore unsupported authentication suites.

  • Packet Queuing: Specify how scaling for the software on the receive side is enabled for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. This ensures that the packet order is preserved.

Domain (Workplace) Network:

  • Microsoft Defender Firewall: If this setting is not enabled, no network traffic will be blocked regardless of other policy settings.

  • Stealth Mode: If not configured, the server operates in stealth mode. Firewall rules used to enforce stealth mode are specific to your implementation.

  • IPsec secured packet exemption with Stealth Mode: If enabled, firewalls stealth mode MUST NOT prevent the host computer from responding to unsolicited network traffic that is secured by IPsec. This option is ignored if stealth mode is blocked.

  • Shielded: If this setting and the firewall setting are both enabled, all incoming traffic will be blocked

  • Unicast responses to multicast broadcasts: This setting blocks all unicast responses to multicast broadcast traffic.

  • Inbound notifications: Block notifications from displaying to users when an application is blocked from listening on a port.

  • Default action for outbound connections: Configure the default action firewall performs on outbound connections. This setting will get applied to Windows version 1809 and above.

  • Default action for inbound connections: Configure the default action firewall performs on inbound connections.

    Rule merging

  • Authorized application Microsoft Defender Firewall rules from the local store: Authorized application Microsoft Defender Firewall rules from the local store.

  • Global port Microsoft Defender Firewall rules from the local store: Global port Microsoft Defender Firewall rules from the local store.

  • Microsoft Defender Firewall rules from the local store: Apply global firewall rules from the local store to be recognized and enforced

  • IPsec rules from the local store: Apply connection security rules from the local store, regardless of schema or connection security rule versions.

Private (Discoverable) Network:

  • Microsoft Defender Firewall: If this setting is not enabled, no network traffic will be blocked regardless of other policy settings

  • Stealth Mode: If not configured, the server operates in stealth mode. Firewall rules used to enforce stealth mode are specific to your implementation.

  • IPsec secured packet exemption with Stealth Mode: If enabled, firewalls stealth mode MUST NOT prevent the host computer from responding to unsolicited network traffic that is secured by IPsec. This option is ignored if stealth mode is blocked.

  • Shielded: If this setting and the firewall setting are both enabled, all incoming traffic will be blocked.

  • Unicast responses to multicast broadcasts: This setting blocks all unicast responses to multicast broadcast traffic.

  • Inbound notifications: Block notifications from displaying to users when an application is blocked from listening on a port.

  • Default action for outbound connections: Configure the default action firewall performs on outbound connections. This setting will get applied to Windows version 1809 and above.

  • Default action for inbound connections: Configure the default action firewall performs on inbound connections.

    Rule merging

  • Authorized application Microsoft Defender Firewall rules from the local store: Apply authorized firewall rules in the local store to be recognized and enforced.

  • Global port Microsoft Defender Firewall rules from the local store: Apply global port firewall rules in the local store to be recognized and enforced.

  • Microsoft Defender Firewall rules from the local store: Apply global firewall rules from the local store to be recognized and enforced.

  • IPsec rules from the local store: Apply connection security rules from the local store, regardless of schema or connection security rule versions.

Public (Non- Discoverable) Network:

  • Microsoft Defender Firewall: If this setting is not enabled, no network traffic will be blocked regardless of other policy settings.

  • Stealth Mode: If not configured, the server operates in stealth mode. Firewall rules used to enforce stealth mode are specific to your implementation.

  • IPsec secured packet exemption with Stealth Mode: If enabled, firewalls stealth mode MUST NOT prevent the host computer from responding to unsolicited network traffic that is secured by IPsec.This option is ignored if stealth mode is blocked.

  • Shielded: If this setting and the firewall setting are both enabled, all incoming traffic will be blocked.

  • Unicast responses to multicast broadcasts: This setting blocks all unicast responses to multicast broadcast traffic.

  • Inbound notifications: Block notifications from displaying to users when an application is blocked from listening on a port.

  • Default action for outbound connections: Configure the default action firewall performs on outbound connections. This setting will get applied to Windows version 1809 and above.

  • Default action for inbound connections: Configure the default action firewall performs on inbound connections.

    Rule merging

  • Authorized application Microsoft Defender Firewall rules from the local store: Apply authorized firewall rules in the local store to be recognized and enforced.

  • Global port Microsoft Defender Firewall rules from the local store: Apply global port firewall rules in the local store to be recognized and enforced.

  • Microsoft Defender Firewall rules from the local store: Apply global firewall rules from the local store to be recognized and enforced.

  • IPsec rules from the local store: Apply connection security rules from the local store, regardless of schema or connection security rule versions

Add Rule - Create/edit a Firewall rule:

The newly created job will be listed in the Jobs List section.

  1. Go back to the Home tab and select the Windows device(s) or group(s).

  2. Click Apply to launch the Apply Job/Profile To Device prompt.

  3. Select the profile under All Jobs/Profiles.

  4. Click Apply in the Apply/Profile To Device prompt.