Gravity Zone Firewall Rules not Blocking Ports

Pmiller
Pmiller Systems Administrator

I'm new to gravity zone but have used other Firewalls in the past. Creating rules seems simple. I want to create a policy for a subset of PCs that blocks Remote Desktop on Incoming Port 3389. I've done this before in several other firewalls before.

However, I created an incoming rule to block port 3389 but it doesn't work for the policy I've applied to my lab machine (I can still RDP to it). I can disable all the policies on the lab machine, create a manual windows defender firewall rule to block incoming port 3389 and it works perfectly. But if I turn on BitDefender nothing works.

Perhaps I am not understanding the rules section of the firewall in Gravity Zone. Here is a copy of the rule for reference.

Comments

  • Andrei_S Enterprise
    Andrei_S Enterprise Business Support Manager BD Staff

    Hello @Pmiller ,

    The default configuration for the default rule Incoming Remote Desktop Connection just needs to be set on Deny and you will restrict RDP connections. In your configuration you need to remove port 3389 from the Remote address section. Please check my screenshot from below.

    Beside this, please ensure that the Firewall module is deployed and enabled on the endpoint on which you want to block the RDP connection and also the correct policy is applied on it which contains the firewall configurations.

    If all these conditions are met there should not be an issue.

    For assistance you can also contact our Enterprise Support team and they will guide you in the process.

    https://www.bitdefender.com/support/contact-us.html?last_page=BusinessCategory

    Kind Regards,

    Andrei

  • Pmiller
    Pmiller Systems Administrator

    Even after that change this still isn't blocking the port.
    I've also verified that the firewall module is enabled on the machine in question.

    The enterprise support is not very helpful. I've already created a ticket asking them and they are slow to respond and don't offer anything. I got more help here.

  • Andrei_S Enterprise
    Andrei_S Enterprise Business Support Manager BD Staff

    Hello @Pmiller ,

    I identified your case and check for a response, you should have received the following answer:

    Please change the Wired Adapter type to Public from the policy applied to the endpoint, Firewall section, Settings and check if the issue is still occurring.

    If you still need assistance, I can reach out to support to contact you via phone or schedule a remote for a quicker resolution.

    Kind Regards,

    Andrei

  • Pmiller
    Pmiller Systems Administrator

    Changing the wired adapter type to public did allow the rule to finally work. However, what is the point of this check then?

    Does the home/office really ignore all rules? Do I have to set my office to public network to get any benefit out of the Bitdefender firewall? I manage over 100 computers here. Do all of them need this treatment to get any benefit out of your firewall?

  • Andrei_S Enterprise
    Andrei_S Enterprise Business Support Manager BD Staff

    Hello @Pmiller ,

    I know you received the answer from support yesterday but I am adding it here so others can benefit as well.

    The Home/Office network allows all traffic to and from computers in the local network while the other traffic is being filtered. This is the reason why you need to set the adapter for your local network to be public so the firewall rules can apply to it.

    Through a Task from the GravityZone console you can apply the policy which contains the Firewall rules to any number of endpoints from your network.

    Kind Regards,

    Andrei

  • rcooper5908
    rcooper5908 I.T. Director

    You understand this is not how a firewall works? You should change the name of this module to basic traffic filter. I was assured gravity zone included a local firewall , I was shown the rules layout and at no point was I told this only functions if you wrongly designate your work network as public. I have several machines that access from other hosts are traditionally (Windows defender, Kaskersky, etc) filter for only certain hosts. What you are saying is I have to designate a private network public so that your TOP DOWN rules apply? Especially when one of the criteria is to apply to the private zone/chain. Now who do I see about my $9000 refund please?

  • Andrei_S Enterprise
    Andrei_S Enterprise Business Support Manager BD Staff
    edited October 8

    Hello @rcooper5908

    The way our Firewall works is as follows:

    Depending on the traffic that we are talking about, it could be either internal traffic or external traffic and the Firewall components each will go one by one to see what type of rule will apply for that type of traffic:
    1. The first component will be the Networks list from Firewall -> Settings, which will determine if the traffic is coming from the network set in this list or not. If it is, the traffic is allowed, if not it will go to the next component

    2. The Adapters determine what filter type should be applied on the traffic, if the source is outside the range set on the component above, by using a profile and depending on what adapter is the machine using at that moment. 
    Trusted - all the traffic is unfiltered
    Home/Office - traffic between systems part of the same subnet will not be filtered, traffic made outside the subnet will be filtered
    Public - both internal (subnet) and external traffic will be filtered
    Untrusted - all traffic will be blocked

    3. If the profile and adapter will match to filter traffic, then it will go to the next component, which in this case, would be from the Rules section, the Ruleset (this component level is divided in the Ruleset portion and the rest of the option, Known files/ known files and ask/deny/allow).

    4. If a Ruleset was not established for the traffic that reached this component (nor from the Known files, if selected), it will go to the last component, which is the manual option taken by the user (if you selected the Ask option), or Deny, or Allow the traffic.


    With all the above in mind, to filter internal traffic from private networks you will have to assign a public network profile in the Adapter section to it. I understand this might be confusing but the Home/Office profile is not filtering the traffic because it is associated with traffic between hosts which are part of the same network and the firewall would have already filtered all the traffic from the outside(public network) so I do think you can implement your use case by configuring the Firewall in this way.

    If you need more help with this or any other configuration by opening a support case we can assist you with whatever it's needed.

    Lastly, if you still want to request a refund you will have to open a case with support and select the Subscription Modifications category from the contact form so the case will be routed to our Commercial team.

    Kind Regards,

    Andrei