Intune 中关于终结点安全性的防火墙策略Firewall policy for endpoint security in Intune

使用 Intune 中的终结点安全性防火墙策略为运行 macOS 和 Windows 10 的设备配置设备内置防火墙。Use the endpoint security Firewall policy in Intune to configure a devices built-in firewall for devices that run macOS and Windows 10.

虽然可以通过在设备配置中使用 Endpoint Protection 配置文件来配置相同的防火墙设置,但设备配置文件还包含其他类别的设置。While you can configure the same firewall settings by using Endpoint Protection profiles for device configuration, the device configuration profiles include additional categories of settings. 这些附加设置与防火墙无关,可能会使仅需要为环境配置防火墙设置的任务复杂化。These additional settings are unrelated to firewalls and can complicate the task of configuring only firewall settings for your environment.

Microsoft endpoint Manager 管理中心的“终结点安全性”节点的“管理”下查找用于防火墙的终结点安全性策略。Find the endpoint security policies for firewalls under Manage in the Endpoint security node of the Microsoft Endpoint Manager admin center.

查看防火墙配置文件的设置View settings for Firewall profiles.

防火墙配置文件的先决条件Prerequisites for Firewall profiles

  • Windows 10 或更高版本Windows 10 or later
  • 任何支持的 macOS 版本Any supported version of macOS

防火墙配置文件Firewall profiles

macOS 配置文件macOS profiles:

  • macOS 防火墙 - 启用和配置 macOS 上内置防火墙的设置。macOS firewall – Enable and configure settings for the built-in firewall on macOS.

Windows 10 配置文件Windows 10 profiles:

  • Microsoft Defender 防火墙 - 配置具有高级安全性的 Windows Defender 防火墙设置。Microsoft Defender Firewall – Configure settings for Windows Defender Firewall with Advanced Security. Windows Defender 防火墙为设备提供基于主机的双向网络通讯筛选,并阻止未授权的网络流量流向或流出本地设备。Windows Defender Firewall provides host-based, two-way network traffic filtering for a device and can block unauthorized network traffic flowing into or out of the local device.

  • Microsoft Defender 防火墙规则(预览) - 定义详细的防火墙规则(包括特定端口、协议、应用程序和网络),允许或阻止网络流量。Microsoft Defender Firewall rules (Preview) - Define granular Firewall rules, including specific ports, protocols, applications and networks, and to allow or block network traffic. 此配置文件的每个实例最多支持 150 个自定义规则。Each instance of this profile supports up to 150 custom rules.

防火墙规则合并和策略冲突Firewall rule mergers and policy conflicts

规划防火墙策略,将其应用于仅使用一个策略的设备。Plan for Firewall policies to be applied to a device using only one policy. 使用单个策略实例和策略类型有助于避免两个独立的策略对同一设置应用不同的配置,从而产生冲突。Use of a single policy instance and policy type helps avoid having two separate policies apply different configurations to the same setting, which creates conflicts. 当使用不同值管理相同设置的两个策略实例或策略类型之间存在冲突时,该设置不会被发送到设备。When a conflict exists between two policy instances or types of policy that manage the same setting with different values, the setting isn't sent to the device.

  • Microsoft Defender 防火墙配置文件可能会发生这种形式的策略冲突,该配置文件可能与其他 Microsoft Defender 防火墙配置文件发生冲突,或者与由其他策略类型(如设备配置)提供的防火墙配置文件发生冲突。That form of policy conflict applies to the Microsoft Defender Firewall profile, which can conflict with other Microsoft Defender Firewall profiles, or a firewall configuration that’s delivered by a different policy type, like device configuration.

    Microsoft Defender 防火墙配置文件不会与 Microsoft Defender 防火墙规则配置文件相冲突 。Microsoft Defender Firewall profiles don't conflict with Microsoft Defender Firewall rules profiles.

使用 Microsoft Defender 防火墙规则配置文件时,可对同一设备应用多个规则配置文件。When you use Microsoft Defender Firewall rules profiles, you can apply multiple rules profiles to the same device. 但是,当具有不同配置的相同设置具有不同的规则时,两个规则都会被发送到设备,然后在该设备上产生冲突。However, when different rules exist for the same thing with different configurations, both are sent to the device and create a conflict, on that device.

  • 例如,如果一个规则阻止 Teams.exe 通过防火墙,另一个规则允许 Teams.exe,则两个规则都将发送到客户端 。For example, if one rule blocks Teams.exe through the firewall and a second rule allows Teams.exe, both rules are delivered to the client. 此结果与通过用于防火墙设置的其他策略产生的冲突不同。This result is different from conflicts created through other policies for Firewall settings.

当来自多个规则配置文件的规则彼此不冲突时,设备会合并所有这些配置文件的规则,在设备上创建一个复合的防火墙规则配置。When rules from multiple rules profiles don't conflict with each other, devices merge the rules from each profile to create a combined firewall rule configuration on the device. 通过此操作,可以将每个配置文件支持的 150 多个规则部署到设备。This behavior enables you to deploy more than the 150 rules that each individual profile supports to a device.

  • 例如,你有两个 Microsoft Defender 防火墙规则配置文件。For example, you have two Microsoft Defender Firewall rules profiles. 第一个配置文件允许 Teams.exe 通过防火墙。The first profile allows Teams.exe through the firewall. 第二个配置文件允许 Outlook.exe 通过防火墙。The second profile allows Outlook.exe through the firewall. 当设备同时收到两个配置文件时,该设备将配置为同时允许两个应用通过防火墙。When a device receives both profiles, the device is configured to allow both apps through the firewall.

后续步骤Next steps

配置终结点安全策略Configure Endpoint security policies