Firewall Management in the command line

In the command line, you can configure Firewall Management using the Firewall Management predefined task (Firewall_Management).

By default, the Firewall Management Task is not run. You can start and stop this task manually.

You can configure the firewall management settings by editing the settings of the Firewall Management predefined task.

You can also configure Firewall Management settings using Firewall Management commands:

Create and delete network packet rules and change their execution priority.
Create a list of IP addresses or subnets in network zones.

View firewall rules created in Kaspersky Endpoint Security by using the command kesl-control -F --query.

Firewall Management task settings

Setting	Description	Values

`DefaultIncomingAction`	The default action to perform on an inbound connection if no network rules apply to this connection type.	`Allow` (default value) — Allow inbound connections. `Block` — Block inbound connections.
`DefaultIncomingPacketAction`	The default action to perform on an incoming packet if no network packet rules apply to this connection type.	`Allow` (default value) — Allow incoming packets. `Block` — Block incoming packets.
`OpenNagentPorts`	Adds Network Agent dynamic rules to the network packet rules.	`Yes` (default value) – Add Network Agent dynamic rules to the network packet rules. `No` – Do not add Network Agent dynamic rules to the network packet rules.
The [PacketRules.item_#] section contains network packet rules for the Firewall Management task. You can specify several `[PacketRules.item_#]` sections in any order. The application processes the scopes by index in ascending order. Each `[PacketRules.item_#]` section contains the following settings:
`Name`	Network packet rule name.	Default value: `Packet rule #<n>`, where n is an index.
`FirewallAction`	Action to be performed on connections specified in this network packet rule.	`Allow` (default value) — Allow network connections. `Block` — Block network connections.
`Protocol`	Type of protocol for which network activity is to be monitored.	`Any` (default value) — The Firewall Management task monitors all network activity. `TCP` `UDP` `ICMP` `ICMPv6` `IGMP` `GRE`
`RemotePorts`	Port numbers of the remote devices whose connection is monitored. An integer or interval can be specified for this value. This setting can only be specified if the `Protocol` setting is set to `TCP` or `UDP`.	`Any` (default value) — Monitor all remote ports. `0` – `65535`.
`LocalPorts`	Port numbers of the local devices whose connection is monitored. An integer or interval can be specified for this value. This setting can only be specified if the `Protocol` setting is set to `TCP` or `UDP`.	`Any` (default value) — Monitor all local ports. `0` – `65535`.
`ICMPType`	ICMP packet type. This setting can only be specified if the `Protocol` setting is set to `ICMP` or `ICMPv6`.	`Any` (default value) — Monitor all ICMP packet types. Integer number according to the data transfer protocol specification.
`ICMPCode`	ICMP packet code. This setting can only be specified if the `Protocol` setting is set to `ICMP` or `ICMPv6`.	`Any` (default value) — Monitor all ICMP packet codes. Integer number according to the data transfer protocol specification.
`Direction`	Direction of the monitored network activity.	`IncomingOutgoing` or `InOut` (default value) — Monitor both inbound and outbound connections. `Incoming` or `In` — Monitor inbound connections. `Outgoing` or `Out` — Monitor outbound connections. `IncomingPacket` or `InPacket` — Monitor incoming packets. `OutgoingPacket` or `OutPacket` — Monitor outgoing packets. `IncomingOutgoingPacket` or `InOutPacket` — Monitor both incoming and outgoing packets.
`RemoteAddress`	The network addresses of the remote devices that can send and receive network packets.	`Any` (default value) — Monitor network packets sent and/or received by remote devices with any IP address. `Trusted` — Predefined network zone for trusted networks. `Local` — Predefined network zone for local networks. `Public` — Predefined network zone for public networks. `d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `dddd` – `dddd` — Range of IPv4 addresses. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x:x:x:x:x` – `x:x:x:x:x:x:x:x` — Range of IPv6 addresses. x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.
`LocalAddress`	Network addresses of devices that have Kaspersky Endpoint Security installed and can send and/or receive network packets.	`Any` (default value) — Monitor network packets sent and/or received by local devices with any IP address. `d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `dddd` – `dddd` — Range of IPv4 addresses. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x:x:x:x:x` – `x:x:x:x:x:x:x:x` — Range of IPv6 addresses. x:x:x:x:x:x:x:x/p — Subnet of IPv6 addresses, where p is a number from 0 to 128; you can use :: for brevity.
`LogAttempts`	Include a record of the network rule action in the report.	`Yes` — Log actions in the report. `No` (default value)—Do not write the actions in the report.
The [NetworkZonesPublic] section contains network addresses associated with public networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)
The [NetworkZonesLocal] section contains network addresses associated with local networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: `""` (no network addresses in this zone)
The [NetworkZonesTrusted] section contains network addresses associated with trusted networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: `""` (no network addresses in this zone)

In this section

Configuring a list of network packet rules in the command line

Configuring network zones in the command line

Page top