ZoneAlarm Firewall

There are many threats on the Internet - hacker activity, viruses, and worms. The ZoneAlarm Firewall protects your computer from most of those threats. It defines three security zones - Trusted, Public, and Blocked.

By default, the Public Zone works in High security mode, and the Trusted Zone works in Medium security mode:

• High security mode for Public Zone lets you connect to network resources, but prevents other unauthorized network users and computers from accessing the resources on your computer and compromising your computer protection. Unknown networks and most wireless networks, even secured wireless networks, should be in this High security Public Zone.
• Medium security mode for Trusted Zone protects your computer from possible attacks on Windows networking services, but lets you share resources with other computers on the network. Networks you know and trust, such as your home or business LAN and known protected wireless networks, should go in this Medium security Trusted Zone.
• Blocked Zone - contains computers and networks you distrust. No traffic to or from this zone is allowed.

The ZoneAlarm Firewall is on by default as soon you as install ZoneAlarm software. You do not need to do anything, unless you want to change the default configuration, or to turn it off temporarily ("Turning the Firewall On and Off" on page 31). To learn how to change the default Firewall configuration, see Managing Basic Firewall Zone Settings.

ZoneAlarm Firewall is on by default after you install ZoneAlarm software. You can turn it off and on, as necessary, for example, if you need to troubleshoot a connection.

To turn the Firewall on or off:

• Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
• Move the Advanced Firewall ON/OFF slider to ON or OFF position, as necessary.

If the ZoneAlarm Firewall is on, the Advanced Firewall status line shows the message Blocks invasions and hacker activity, and the main status bar shows the message YOUR COMPUTER IS SECURE.

If the ZoneAlarm Firewall is off, the Advanced Firewall status line shows the warning Your firewall is not properly set, and the Fix Now button below. The main status bar shows the warning YOUR COMPUTER IS AT RISK, and the Fix Now! button next to it. Click one of the Fix Now! buttons to turn the Firewall on again.

ZoneAlarm Firewall comes configured with optimal basic Firewall Zone settings. If you need to make changes to the basic settings, you can do these:

• Change the security levels of the ZoneAlarm Firewall zones (not recommended)
• Add a host, an IP address, a range of IP addresses, or a Subnet to a security zone
• Remove a host, an IP address, a range of IP addresses, or a Subnet from a security zone
• Edit a host, an IP address, a range of IP addresses, or a Subnet in a security zone

Changing Security Level Settings of Firewall Zones

To change the security level settings of the zones:

• Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
• Click Settings in the Advanced Firewall section.
• Move the slider to one of the setting for the Public Zone - Off, Med., or High (default).
• Move the slider to one of the settings for the Trusted Zone. - Off, Med. (default), or High.

Adding Hosts, IP Addresses, Ranges, and Subnets to Zones

To add a host, an IP address, a range of IP addresses, or a Subnet to a Zone:

1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
2. Click View Zones in the Advanced Firewall section.
   The Firewall Settings window opens and the View Zones table shows.
3. Click Add and select one of these:
   • Host/Site
   • IP Address
   • IP Range
   • Subnet
   The Add Zone window opens.
4. From the drop-down menu select the Zone ("Protecting Your Computer with ZoneAlarm Firewall" on page 30) to which you want to add a new network or host:
   • Blocked
   • Trusted
   • Public
5. Fill in the required fields:
   • Host name and Description for the Host/Site
     Click Lookup to get the IP address for the host
   • IP Address and Description for the IP Address
   • IP Range Start, IP Range End, and Description for the IP Range
   • IP Address, Subnet Mask, and Description for the Subnet
6. Click OK.
   The new entity shows in the View Zones table.
7. Click OK.

Removing Hosts, IP Addresses, Ranges, and Subnets from Zones

To remove a host, an IP address, a range of IP addresses, or a Subnet from a Zone:

1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
2. Click View Zones in the Advanced Firewall section.
   The Firewall Settings window opens and the View Zones table shows.
3. Select an entry in the View Zones table.
4. Click Remove.
The Delete Confirmation window opens.
5. Click Yes to confirm the deletion.
6. Click OK.

Editing Hosts, IP Addresses, Ranges, and Subnets in Zones

To edit a host, an IP address, a range of IP addresses, or a Subnet in a Zone:

1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
2. Click View Zones in the Advanced Firewall section.
   The Firewall Settings window opens and the View Zones table shows.
3. Select the entry in the View Zones table.
4. Click Edit.
   The Edit Zone window opens.
5. Change the parameters as necessary.
6. Click OK.
7. Click OK.

You can further customize High and Medium security settings for the Trusted and Public security zones to allow or to block specific types of traffic based on protocol types and port numbers.

1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
2. Click Settings in the Advanced Firewall section.
3. Click Advanced Settings.
   The Firewall Settings window opens.
4. From the navigation tree, select Trusted Zone or Public Zone.
   Trusted Zone Security Settings or Public Zone Security Settings tab shows.
5. Select or clear High Security Settings and Medium Security Settings rules:

   High Security Settings	Medium Security Settings
   Allow outgoing DNS (UDP port 53)	Block incoming NetBIOS (port 135, 137-9, 445) (selected by default for Public Zone)
   Allow outgoing DHCP (UDP port 67)	Block outgoing NetBIOS (port 135, 137-9, 445)
   Allow broadcast/multicast (selected by default)	Block incoming ping (ICMP Echo)
   Allow incoming ping (ICMP Echo)	Block other incoming ICMP
   Allow other incoming ICMP	Block outgoing ping (ICMP Echo)
   Allow outgoing ping (ICMP Echo)	Block outgoing ICMP
   Allow other outgoing ICMP	Block incoming IGMP
   Allow incoming IGMP	Block outgoing IGMP
   Allow outgoing IGMP	Block incoming UDP ports: (none) Note: Check this setting, then enter specific UDP ports, or UDP port ranges in the field below the table.
   Allow incoming UDP ports: (none) Note: Check this setting, then enter specific UDP ports, or UDP port ranges in the field below the table.	Block outgoing UDP ports: (none) Note: Check this setting, then enter specific UDP ports, or UDP port ranges in the field below the table.
   Allow outgoing UDP port: (none) Note: Check this setting, then enter specific UDP ports, or UDP port ranges in the field below the table.	Block incoming TCP ports (none) Note: Check this setting, then enter specific TCP ports, or TCP port ranges in the field below the table.
   Allow incoming TCP ports (none) Note: Check this setting, then enter specific TCP ports, or TCP port ranges in the field below the table.	Block outgoing TCP ports (none) Note: Check this setting, then enter specific TCP ports, or TCP port ranges in the field below the table.
   Allow outgoing TCP ports (none) Note: Check this setting, then enter specific TCP ports, or TCP port ranges in the field below the table.

6. Click OK.
   Note - to reset all the settings to the default values, click Reset to default, then click OK.

Advanced options let you further customize your firewall configuration. Here, you can:

1. Configure general settings ("Configuring Advanced Global Firewall Settings" on page 35) based on protocols, packet types, types of services, and types of traffic. These apply to both - the Trusted Zone and the Public Zone.
2. Configure network settings ("Configuring Firewall Network Settings" on page 36) to include newly detected networks in the Trusted Zone, so that traditional local network activities, such as file and printer sharing, are not interrupted.
   Note - ZoneAlarm software detects only networks that your computer is physically connected to. Routed or virtual network connections are not detected.
3. Enable IPv6 networking.

Configuring Advanced Global Firewall Settings

To configure advanced global firewall settings:

1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
2. Click Settings in the Advanced Firewall section.
3. Click Advanced Settings.
   The Firewall Settings window opens and shows the Advanced settings.
4. In the General Settings area, select or clear the configuration options as necessary:

   Block all fragments	Blocks all incomplete (fragmented) IP data packets, which hackers sometimes create to bypass or disrupt network devices that read packet headers. Note: Do not select this option, unless you are aware of how your Internet provider handles fragmented packets. If you select this option, the ZoneAlarm software silently blocks all fragmented packets. It does not send alerts or create log entries.
   Block trusted servers	Prevents all programs on your computer from acting as servers to the Trusted Zone. Note: This setting overrides permissions granted through the Program Permissions settings
   Block public servers	Prevents all programs on your computer from acting as servers to the Public Zone. Note: This setting overrides permissions granted through the Program Permissions settings
   Enable ARP protection	Blocks all incoming ARP (Address Resolution Protocol) requests, except broadcast requests for the address of the target computer. Also blocks all incoming ARP replies except for those that come in response to outgoing ARP requests.
   Filter IP traffic over 1394	Selected by default. It filters FireWire traffic. Note: You must restart your PC for the changes to take effect.
   Allow VPN protocols	Selected by default. It allows the use of common VPN protocols (ESP, AH, GRE, SKIP), even in High security mode. When this option is not selected, the VPN protocols are allowed only in Medium security mode.
   Allow uncommon protocols at high security	Allows the use of protocols, other than ESP, AH, GRE, and SKIP, in High security mode.
   Lock hosts file	Selected by default. Prevents the hosts file on your computer from being modified by hackers through sprayers or Trojans.

5. Click OK to save the configuration changes and exit, or continue to Firewall Network settings

Configuring Firewall Network Settings

To configure Firewall Network settings:

1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
2. Click Settings in the Advanced Firewall section.
3. Click Advanced Settings.
   The Firewall Settings window opens and shows the Advanced settings.
4. In the Network Settings area, select or clear the configuration options as necessary:

   Include networks in the Trusted Zone upon detection.	Automatically assigns all newly discovered networks to the Trusted Zone. This setting gives the least amount of protection.
   Exclude networks from the Trusted Zone upon detection.	Automatically assigns all newly discovered networks to the Public Zone. This setting gives the most amount of protection.
   Ask which Zone to place new networks in upon detection. *for Windows XP only	Selected by default. For each newly discovered network, ZoneAlarm lets you assign that network to the Public Zone or to the Private Zone.
   Automatically put new unprotected wireless networks (WEP or WPA) in the Public Zone *for Windows XP only	Selected by default. ZoneAlarm automatically assigns newly discovered unprotected wireless networks to the Public Zone. NOTE: A secure (protected) wireless network is WPA enabled.
   Enable IPv6 networking	Selected by default. Enables IPv6 for operating systems that support it. When ZoneAlarm Firewall is set to block IPv6, the Windows network settings show that IPv6 is disabled. NOTE: You must reboot the system for the changes in IPv6 network settings to take effect.

5. Click OK.

To add custom firewall protection to your PC, you can configure Firewall Expert Rules:

• Source - traffic source
• Destination - traffic destination
• Protocol - transport layer protocol
• Time - days and times
• Action - allow or block
• Rank - the priority order in the list of all expert rules

Expert Rules can be configured for specific groups based on:

• Host names and IP addresses
• Protocols and port numbers
• Days and times of access

If a group changes, all the expert rules that use it are automatically updated.

To get to Expert Rules and Expert Group configuration:

1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
2. Click Settings in the Advanced Firewall section.
3. Click Advanced Settings.
   The Firewall Settings window opens and shows the Advanced settings.
4. From the navigation tree, select Expert Rules.
5. After you configure Expert Rules and Expert Groups as necessary, click OK.

Adding Expert Rules

To add an Expert Rule:

1. In the Expert Rules configuration screen, click Add.
   The Add Expert Rule window opens.
2. Select the Rank.
3. Enter a Name and Comments (optional).
4. Make sure the State is Enabled.
   Note: you can change the State to Disabled at any time for testing or troubleshooting purposes.
5. Select an Action -
   • Allow - to allow the traffic that matches the rule criteria.
   • Block - to block the traffic that matches the rule criteria.
6. Add criteria to the rule:
   • Source, Destination - click Modify > Add Location > [location option]:
     • My Computer - this PC.
     • Trusted Zone - computers and networks in the Trusted Zone ("Managing Basic Firewall Security Zone Settings" on page 31)
     • Public Zone - computers and networks in the Public zone ("Managing Basic Firewall Security Zone Settings" on page 31)
     • Any - any source/destination location, without restrictions (default)
     • Host/Site - add a Description and a Host name, then click Lookup, and OK
     • IP Address - add a Description and an IP Address, then click OK
     • IP Range - add a Description, the first IP Address of a range and the last one, then click OK
     • Subnet - add a Description, an IP Address and a Subnet Mask, then click OK
     • Gateway - add a Description, an IP Address and a MAC Address, then click OK
     • New Group - see how to add Location Expert Groups ("Adding Expert Groups" on page 39)
     • Existing Group - select groups from the list, then click OK.
   • Protocol - click Modify > Add Protocol > [option]:
     • Add Protocol - add a Description, select a Protocol, a Destination Port and a Source Port, then click OK
     • New Group - see how to add Protocol Expert Groups ("Adding Expert Groups" on page 39)
     • Existing Group - select groups from the list, then click OK
   • Time - click Modify > Add Time > [option]:
     • Day/Time Range - add a Description, select From and To values for the Time frame, Days of the week, then click OK
     • New Group - see how to add Time Expert Groups ("Adding Expert Groups" on page 39)
     • Existing Group - select groups from the list, then click OK
7. Click OK.

Editing or Deleting Expert Rules

To edit or to delete an expert rule:

1. In the Expert Rules configuration screen, select an expert rule.
2. Do one of these:
   • To delete the rule - click Remove, then Yes to confirm
   • To edit the rule - click Edit
     Add Expert Rule window opens. Change parameters as described in the Adding Expert Rules (on page 38) procedure.
3. Click OK.

Managing Expert Groups

To manage Expert Groups:

1. In the Expert Rules configuration screen, click Groups.
   The Expert Group Manager window opens.
2. Do necessary procedures on Expert Groups:
   • Add ("Adding Expert Groups" on page 39)
   • Remove ("Editing Expert Groups" on page 41)
   • Edit ("Editing Expert Groups" on page 41)
3. Click OK to save and exit.

Adding Expert Groups

You can add Expert groups based on:

• Location
• Protocols
• Times

To add a Location Expert Group:

1. Select the Locations tab.
2. Click Add.
   Add Location Group window opens.
3. Enter a Name and a Description (optional).
4. Click Add.
5. Select one of the options from the drop-down menu and enter the required parameters:
   • Host/Site - enter a Description and a Host name, and click Lookup to find the IP address of the host
   • IP Address - enter a Description and an IP Address
   • IP Range - enter a Description, the first IP Address of the range and the last IP Address of the range
   • Subnet - enter a Description, an IP Address and a Subnet Mask
   • Gateway - enter a Description, an IP Address and a MAC Address of a gateway
   Note - Description field is required.
6. Click OK.
7. Click OK.

To add a Protocol Expert Group:

1. Select the Protocols tab.
2. Click Add.
   Add Protocol Group window opens.
3. Enter a Name and a Description (optional).
4. Click Add.
   The Protocol window opens.
5. Select one of the Protocol options from the drop-down menu and enter the required parameters:
   • TCP - Destination Port and Source Port by service name or port number. For example, HTTP or 80. The default is Any.
   • UDP - Destination Port and Source Port by service name or port number. For example, TFTP or 69. The default is Any.
   • TCP and UDP - Destination Port and Source Port by service name or port number. For example, TACACS or 49. The default is Any.
   • ICMP - ICMP service by Name or Type Number. For example, Echo Request or 8.
   • IGMP - IGMP service by Name or Type Number. For example, Multicast Traceroute or 31.
   • Custom - any protocol by Name or Protocol Number. For example, GRE or 47.
   Note - Description field is required.
6. Click OK.
7. Click OK.

To add a Time Expert Group:

1. Select the Times tab.
2. Click Add.
   The Add Time Group window opens.
3. Enter a Name and a Description (optional).
4. Click Add.
   The Day/Time Range window opens.
5. Enter a Description.
6. Select the From and To values for the Time. The default is Any.
7. Select Days of the week.
8. Click OK.
9. Click OK.

Editing Expert Groups

To edit an Expert Group:

• Select the tab for the Expert Group category:
  • Locations
  • Protocols
  • Times
• Select an expert group from the list.
• Click Edit.
  The corresponding Add Group window opens. See Adding Expert Groups ("Managing Expert Groups" on page 39) for details on options and parameters.
• Click OK.
• Click OK.

By default, ZoneAlarm software records all Firewall events in a log, and archives the log file every seven days. To change the logging settings, see Managing Alerts and Logs Settings.

To view Firewall Log events:

1. Open the ZoneAlarm software client.
2. From the Tools menu, select Logs.
   The Alerts and Logs window opens, and shows the Log Viewer.
3. From the Select log type drop-down list, select Firewall.
   The Log Viewer shows the Firewall log entries:

To control the number of entries in the Log Viewer:

Click and select the number of log entries from the Show Last drop-down menu:

• 10
• 25
• 50
• 100
• 200
• All

To clear the Log Viewer entries:

Click Clear.

To refresh the Log Viewer:

Click Refresh.

To add an IP address to a Security Zone:

1. Select an entry in the Log Viewer table.
2. Click Add To Zone.
   The Add Zone window opens.
3. Select the Zone you want to add the IP address to - Trusted or Blocked.
4. Add a description.
5. Click OK.

To learn more about blocked traffic:

1. Select an entry in the Log Viewer table.
2. Click More Info.
   The SmartDefense Advisor web page opens, and provides information about the selected blocked packet type.