Firewall Settings

The Firewall settings enforce firewall rules that block unauthorized access to the network.

Note: The Firewall Settings policy is supported only on SAFE 2.0+ devices.

The following table describes the firewall rules that you can configure for an Android device:
Policy setting Description Supported devices
Configure firewall block rules Firewall rules that block traffic on a device to and from a specific network location.

You can block traffic for the entire device or for specific apps on the device.

Options are:
  • Hostname: The IP address, IP range (for example, 100.0.0.0-100.0.0.10), or domain name that is blocked from sending and receiving traffic to the device. Use * to block all IP addresses.

    Note: The domain name is not supported on SAFE 5.5+ devices. Values such as 100.0.0. * are not supported. Use the IP range instead.

  • Port: The port number or range of blocked ports. (For example, 8080-8085). Use * to block all ports.

    Note: Values such as 80* are not supported. Use the port range instead.

  • Port location: The port options that are defined in the block rules:
    • local port
    • remote port
    • all ports

    For example, to block port 21 (FTP) on the device from receiving connections, you must block Local Port 21. Local ports are ports on the device.

  • Package name: The app name that contains the internet permissions.
  • Network interface: The network mode that is defined in the block rules:
    • Wi-Fi
    • Mobile Data
    • both
SAFE 2.0 to SAFE 5.4 or SAFE 5.6+
Configure exceptions to block rules Use this setting if the Configure firewall block rules setting is enabled.
  • This firewall rule allows a specific network location to send traffic to the device.
  • This firewall rule also prevents the device from receiving traffic from the network location that is defined in the firewall block exception rules.
  • This firewall rule takes precedence over the block rules.

Note: This firewall rule does not support exceptions for specific apps.

SAFE 2.0 to SAFE 5.5
Configure domain filtering rules This firewall rule blocks a specific domain from sending traffic to the device. This firewall rule also prevents the device from receiving traffic from a domain that is defined in the domain filter rules.

You can block traffic for the entire device or for specific apps on the device.

SAFE 5.6+
Configure reroute rules This firewall rule redirects traffic to another destination such as a proxy server.

Options are:

  • Port for target: The port number or range of ports that reroute traffic. (For example, 8080-8085). Use * to use all ports.

    Note: Values such as 80* are not supported. Use the port range instead.

  • Hostname of destination: The host name (IP address) of the reroute destination.
  • Port for destination: The port number of the reroute destination.
  • Package name: The app name that contains the internet permissions.
  • Network interface: The network mode that is defined in the reroute rules:
    • Wi-Fi
    • Mobile Data
    • both
SAFE 2.0 to SAFE 5.4 or SAFE 5.6+
Configure redirect exceptions This firewall rule contains redirect exceptions. This firewall rule takes precedence over reroute rules.
Options are:
  • IP address: The IP address or IP range (for example, 100.0.0.0-100.0.0.10). Use * to include all IP addresses in the redirect exception.

    Note: Values such as 100.0.0.* are not supported. Use the port range instead.

  • Port: The port number or range of ports that are used to redirect traffic. (For example, 8080-8085). Use * to use all ports in the redirect exceptions.

    Note: Values such as 80* are not supported. Use the port range instead.

SAFE 3.0 to SAFE 5.4 or SAFE 5.6+
Configure global proxy This firewall rule supports transparent HTTP proxy configuration to route all http or https traffic to a specific IP address:port combination.
Options are:
  • Proxy server: The IP address of the proxy server.
  • Port of the proxy server: The port number of the proxy server.
SAFE 5.0 to SAFE 5.4 or SAFE 5.6+