Set IP address Range for Firewall Policy Exception Rules

(imported topic written by ColinG91)

I am in the process of setting firewall rules for our machines and I do not see a way to set up an IP address range for a specific rule, e.g only allow access to a port on the machine from either a single IP address or range.

Can this be done?

It is possible this is a limitation of the wizard rather than the firewall engine as looking at the task generated to deploy the policy each of the policy exceptions has some IP address parameters set as follows:

IPAddressChoice = 1

IPAddress1 =

IPAddress2 =

Which tends to suggest somewhere to define an IP address or range.

Does anybody know what these are? I have not found anything on either the BigFix or Trend Micro site.

Experiments so far suggests that settings generated by the wizard (IPAddressChoice = 1) are for any IP address.

IPAddressChoice = 2

IPAddress1 = xxx.xxx.xxx.xxx

IPAddress2 = xxx.xxx.xxx.xxx

restricts the rule to a single IP address which suggests that 3 may be for a range.

Hacking the action script may give me what I want but it does mean that the policy does not match what is out in the field and is bound to give me grief at some time so an official way to do this would be appreciated.

(imported comment written by josh.hogle91)

I realize this is a really old question but someone pointed it out to me and I have answer for you…

Exception format:

Policy_1_Exception_1

Description = Allow outbound DNS queries to 10.0.0.0/8 network

Direction = 2

Action = 2

Protocol = 3

IPAddressChoice = 4

IPAddress1 = 10.0.0.0

IPAddress2 = 255.0.0.0

PortChoice = 3

Ports = 53

Direction: 1=inbound, 2=outbound, 3=both

Action: 1=deny, 2=allow, 3=log only

Protocol: 0=all, 1=tcp/udp, 2=tcp, 3=udp, 4=icmp

IPAddressChoice: 1=all IPs, 2=Single IP (ignore IPAddress2), 3=IP range (IPAddress1 to IPAddress2), 4=Subnet Mask (IPAddress1 is IP and IPAddress2 is Netmask)

PortChoice: 1=all ports, 2=port range (eg: 8080,9090 means 8080-9090), 3=port list (eg: 80,443,8080)

The settings for the Profile section are:

IPChoice: 0=disable IP condition, 1=IP range, 2=IP subnet, 3=Single IP

The settings for the Policy section are:

SecurityLevel: 1=high, 2=medium, 3=low

EnablePFW: 0=disable, 1=enable

EnableIDS: 0=disable, 1=enable

EnableAlertMsg: 0=disable, 1=enable

Hope this helps!

(imported comment written by josh.hogle91)

I guess this silly thing formatted incorrectly… The policy exception format should be surrounded by square brackets:

Policy_x_Exception_y

Where x is the policy number and y is an exception number starting from 1 and incrementing with each exception. You can define up to 100.