This site is for Avast Business products only. For articles on AVG Business products, see AVG Business Help. If you are in the right place but cannot find what you are looking for, please contact Avast Business Support for further assistance.

Firewall Application Rules

This Article Applies to:

  • Avast Business CloudCare

IMPORTANT: The CloudCare console does not support opening multiple tabs in the same browser session. Please use multiple browsers or incognito mode instead.

 

Avast Firewall is another major component of Antivirus protection offered alongside Core Shields, and it is available for Windows workstations. Our Firewall monitors all network traffic between devices and the outside world to help protect you from unauthorized communication and intrusions.

Firewall's application rules are specifically meant to control how Firewall behaves toward applications or processes when they connect to the internet or to another network. These rules are created each time an application or process makes a connection attempt for the first time. Advanced users can set connection permissions for each individual app to determine how strictly Firewall monitors any incoming or outgoing communication.

We recommend you only modify these rules if absolutely necessary. In most cases, Firewall formulates optimal rules without any user input.

Configuring Application Rules

To access Firewall system rules:

  1. Go to the Policies page (at partner level for master policies or customer level for customer policies)
  2. Select the desired policy from the left-hand pane
  3. Under Endpoint Protection, expand the Firewall and Antivirus Add-ons section
  4. Go to the Firewall tab, then select Application Rules

At the top of the tab, you can choose to override client configuration of all Firewall rules and general settings. We recommend enabling this option, ensuring these rules and settings are controlled via the console for maximum security across your network.

Each policy contains default application rules to allow common applications to communicate properly. You can delete or modify these rules in order to change how the listed application communicates, or add new rules to the existing list.

You can also set the default action Firewall will take for new applications with no defined rules:

  • Auto-decide (Smart Mode on the endpoint): Either allows or blocks connections depending on their trustworthiness.
  • Allow: Allows all connections.
  • Block: Blocks all connections.
  • Ask: Prompts the user to manually allow or block connections as they occur.

At the bottom of the settings, you also have the option to revert application rules to Avast default settings anytime if needed.

Adding Application Rules

To add a new application rule:

  1. Click the Add Application Rule button above the list
  2. Enter the application's name and path (you can use System Path Variables)
  3. Select the desired rule (No connections, Internet in only, Internet out only, All connections, or Custom)
    1. For detailed instructions on how to configure custom rules, refer to the Customizing Application Rules section below.
  4. Click Add

The new rule will then be added to the list. You can edit/delete it if needed by clicking the pencil/delete icon in the Actions column. When modifying custom application rules, the options to add, sort, edit, delete, or disable the packet rules will also be available.

System Path Variables

Clicking Show system path variables in the Add Application Rule dialog will show all accepted system variables and provide more information:

Use this if you need to specify an executable file located in a folder where shared program files for 32-bit applications are stored.

Example: %CommonProgramFiles(x86)%\app.exeC:\Program Files (x86)\Common Files\app.exe

Use this if you need to specify an executable file located in a folder where program files for 32-bit applications are stored.

Example: %ProgramFiles(x86)%\app.exeC:\Program Files (x86)\app.exe

Use this if you need to specify an executable file located in a folder where shared program files are stored.

Example: %CommonProgramFiles%\app.exeC:\Program Files\Common Files\app.exe

Use this if you need to specify an executable file located in a folder where program files are stored.

Example: %ProgramFiles%\app.exeC:\Program Files\app.exe

Use this if you need to specify an executable file located in a core folder of the operating system.

Example: %WINDIR%\SysNative\app.exeC:\Windows\System32\app.exe

Use this if you need to specify an executable file located inside an operating system folder.

Example: %WINDIR%\app.exeC:\Windows\app.exe

Use this if you need to specify an executable file located anywhere else on the system drive.

Example: %SYSTEMDRIVE%\folder_name\app.exeC:\folder_name\app.exe

You can copy any listed variable and paste it into the Application Path field.

Customizing Application Rules

To customize an existing rule or create a new custom rule:

  1. Do one of the following:
    • To make a new custom rule, click the + Add application rule button above the list
    • To customize an existing rule, click the pencil icon in its Actions column
  2. Enter the app's name and path (if creating a new rule)
  3. Select Custom
  1. Do one of the following:
    • If you are creating a new packet rule, select Add Another Packet Rule
    • If you are modifying an existing packet rule, click the pencil icon in its Actions column
  2. Fill out/modify the following:
    • Rule name
    • Action: Indicates whether Firewall will Allow or Block the connection
    • Protocol: Indicates the network protocol the rule applies to. One protocol may be selected, or All if the rule applies to all protocols.
    • Direction: Indicates whether the rule applies to incoming connections (In), outgoing connections (Out), or to connections in both directions (Both).
    • Address: Indicates the source or destination IP address the rule applies to. The rule may apply to a single IP address, multiple IP addresses (separated by commas), or an IP address range (starting with the lowest IP address and separated with a dash). If the field is blank, the rule applies to all IP addresses.
    • Local port: Indicates a network port number on the local IP address of your PC's network interface. The rule may apply for a single port number, multiple ports (separated by commas), or a port range (starting with the lowest port number and separated with a dash). If the field is blank, the rule applies to all local ports.
    • Remote port: Indicates a network port number on the remote IP address of the external server or device. The rule may apply for a single port number, multiple ports (separated by commas), or a port range (starting with the lowest port number and separated with a dash). If the field is blank, the rule applies to all remote ports.
      • An application may need to communicate with a specific remote port in order to function. For example, your internet browser usually needs port 443, as this is the default port used for HTTPS (secure HTTP). To verify the remote port that is required by a particular application, contact the application vendor or refer to the application's support pages.
    • ICMP type: If the selected protocol is Internet Control Message Protocol (ICMP/ICMPv6), you will need to specify the ICMP type, which indicates the control message (represented by a code number) to which the rule applies. The rule may apply to a single code number, or multiple codes (separated by commas). The code numbers of control messages are listed in the technical specifications of the ICMP (RFC 792).
  3. To finish, select Save (and, if creating a new rule, click the Add button)

 

Other Articles In This Section:

General Firewall Settings

Firewall Network Settings

Firewall System Rules

Firewall Advanced Packet Rules

Advanced Firewall Settings

Related Articles:

Configuring Antivirus Exclusions

Scheduling Scans

Wildcards