This site is for Avast Business products only. For articles on AVG Business products, see AVG Business Help. If you are in the right place but cannot find what you are looking for, please contact Avast Business Support for further assistance.

Firewall Application Rules

This Article Applies to:

  • Avast Business On-Premise Console

 

Avast Firewall is another major component of Antivirus protection offered alongside Core Shields, and it is available for Windows workstations. Our Firewall monitors all network traffic between devices and the outside world to help protect you from unauthorized communication and intrusions.

Firewall's application rules are specifically meant to control how Firewall behaves toward applications or processes when they connect to the internet or to another network. These rules are created each time an application or process makes a connection attempt for the first time. Advanced users can set connection permissions for each individual app to determine how strictly Firewall monitors any incoming or outgoing communication.

We recommend you only modify these rules if absolutely necessary. In most cases, Firewall formulates optimal rules without any user input.

 

To access Firewall application rules:

  1. Go to the Policies page
  2. Open the desired policy
  3. Select Windows Workstation, then navigate to the Active protection tab
  4. Click Customize next to Firewall
  1. Select the Rules tab, then Application rules

At the top of the Rules tab, you can allow local configuration of all Firewall rules by disabling the Control all rules via the web console option. However, we recommend keeping this option enabled, ensuring these rules are controlled via the On-Premise Console for maximum security across your network.

Configuring Application Rules

Each policy contains default application rules to allow common applications to communicate properly. You can delete or modify these rules in order to change how the listed application communicates, or add new rules to the existing list.

You can also set the default action Firewall will take for new applications with no defined rules:

  • Auto-decide (Smart Mode on the endpoint): Either allows or blocks connections depending on their trustworthiness.
  • All connections (Allow on the endpoint): Allows all connections.
  • No connections (Block on the endpoint): Blocks all connections.
  • Ask user (Ask on the endpoint): Prompts the user to manually allow or block connections as they occur.

Adding Application Rules

To add a new application rule:

  1. Click the Add application rule button at the top or at the bottom of the list
  2. Enter the application's name and path (you can use system path variables - see section below)
  3. Select the desired rule from the drop-down menu (No connections, Internet out only, or All connections) or create a custom rule via the Set custom packet rules link (see the Customizing Application Rules section below)
  4. Click Add application rule

The new rule will then be added to the list. You can edit/delete it if needed by clicking the pencil/trash bin icon next to it.

When modifying custom application rules, the options to add, edit, delete, or disable the packet rules will also be available.

System Path Variables

Clicking Show system path variables under the Application Path filed will show all accepted system variables and related information:

Customizing Application Rules

To customize an existing rule or create a new custom rule:

  1. Do one of the following:
    • To make a new custom rule, click the Add application rule button at the bottom of the list
    • To customize an existing rule, click the pencil icon next to it
  2. Enter the app's name and path (if creating a new rule)
  3. Click the Set custom packet rules link
  1. Do one of the following:
    • If you are creating a new packet rule, click the Add new rule button
    • If you are modifying an existing packet rule, click that rule to be able to edit it
  2. Fill out/modify the following:
    • Enabled: Ticking/unticking the checkbox will enable/disable the rule.
    • Rule name
    • Action: Indicates whether Firewall will Allow or Block the connection.
    • Protocol: Indicates the network protocol the rule applies to. One protocol may be selected, or All if the rule applies to all protocols.
      • If you select Internet Control Message Protocol (ICMP/ICMPv6), you will also need to specify the ICMP type.
    • Direction: Indicates whether the rule applies to incoming connections (In), outgoing connections (Out), or to connections in both directions (Both).
    • IP Address: Indicates the source or destination IP address the rule applies to. The rule may apply to a single IP address, multiple IP addresses (separated by commas), or an IP address range (starting with the lowest IP address and separated with a dash). If the field is blank, the rule applies to all IP addresses.
    • Local Port: Indicates a network port number on the local IP address of your PC's network interface. The rule may apply for a single port number, multiple ports (separated by commas), or a port range (starting with the lowest port number and separated with a dash). If the field is blank, the rule applies to all local ports.
    • Remote Port: Indicates a network port number on the remote IP address of the external server or device. The rule may apply for a single port number, multiple ports (separated by commas), or a port range (starting with the lowest port number and separated with a dash). If the field is blank, the rule applies to all remote ports.
      • An application may need to communicate with a specific remote port in order to function. For example, your internet browser usually needs port 443, as this is the default port used for HTTPS (secure HTTP). To verify the remote port that is required by a particular application, contact the application vendor or refer to the application's support pages.
    • ICMP type: Indicates the control message (represented by a code number) to which the rule applies. The rule may apply to a single code number, or multiple codes (separated by commas). The code numbers of control messages are listed in the technical specifications of the ICMP (RFC 792).
    • Profile: Indicates whether the rule applies to Private, Public, or All networks.
  3. Click the Update button
  4. Once you are done adding/modifying packet rules, click Add application rule/Save application rule
    • You can also delete existing packet rules by clicking the trash bin icon next to them.

Resetting to Default Settings

If needed, you can revert all application rules to their default values by clicking the Reset to default settings link at the bottom of the settings.