cancel
Showing results for 
Search instead for 
Did you mean: 
jim.roberts
Level 7

Whats the best way to block all Internet traffic while allowing all Intranet traffic?

Jump to solution

Title says it all.

Normally this would be handled via our main company firewall, but for a few machines, I need to do it client side.

The goal:

Block all internet traffic (incoming and outgoing) while allowing all intranet traffic.  At the moment my plan is to create a new trusted network policy, whitelist all of our internal IP ranges, and then block everything else.  The downside is, there is no way to import a list of IP ranges which means I will be cutting/pasting a few hundred entries.

Can anyone think of a better way of doing this?

0 Kudos
1 Solution

Accepted Solutions
bookz
Level 9

Re: Whats the best way to block all Internet traffic while allowing all Intranet traffic?

Jump to solution

You could create an IP Range or number of IP ranges under the network options (new remote) in the HIPS Firewall rule builder make the policy an allow just for those defined networks and then whatever goes outside will fall to the default block rule. Trusted networks would be a difficult way to do this.

0 Kudos
5 Replies
rothman
Level 7

Re: Whats the best way to block all Internet traffic while allowing all Intranet traffic?

Jump to solution

AFAIK, there isn't an easier way about this... my company had to do the same thing to make sure all traffic was allowed to our 'trusted network' when machines were on our internal network.  I won't pretend to be that learned as a network engineer, but I would think that you could set up an explicit block for all ports to your Internet Gateway(s) on the HIPS firewall, maybe?

0 Kudos
bookz
Level 9

Re: Whats the best way to block all Internet traffic while allowing all Intranet traffic?

Jump to solution

You could create an IP Range or number of IP ranges under the network options (new remote) in the HIPS Firewall rule builder make the policy an allow just for those defined networks and then whatever goes outside will fall to the default block rule. Trusted networks would be a difficult way to do this.

0 Kudos
jim.roberts
Level 7

Re: Whats the best way to block all Internet traffic while allowing all Intranet traffic?

Jump to solution

I ended up taking our quarntine "block almost everything" policy, added a whitelist of IP ranges, and put specific blocks on all of our proxy IP's.  so far it seems to do what I want it to.  Thanks everyone for your suggestions.

0 Kudos
alhaawi
Level 9

Re: Whats the best way to block all Internet traffic while allowing all Intranet traffic?

Jump to solution

have you tried trusted network? it should work

0 Kudos
dcobes
Level 9

Re: Whats the best way to block all Internet traffic while allowing all Intranet traffic?

Jump to solution

Do you mind to eloborate on your policy?

I'm attempting to perform the same function and I don't believe the policy is working like it should. I've pasted below an example of what I have setup. I have basic networking and VPN allow rules in place so a user can get DNS/NTP, and connect to VPN. I then, in the Intranet group have the criteria set to only allow Intranet/Internal IPs. Under that group I placed the same rules I have been using for standard use (hoping the criteria from the Intranet ONLY group applies to all the below rules/sub-groups). Any help or assistance with this is much appreciated.

Intranet_01.png

-d

0 Kudos