Firewall
Last updated September 2nd, 2025
Create a firewall configuration profile
You can set up firewall rules on your devices to determine how apps connect to specified IP and port ranges.
-
Firewall configuration profiles — Enter a profile name. For example
Firewall_config1. -
Allow rules — Add a new configuration to allow network traffic.
- Hostname (IP or IP range) — Enter an IP or a range of IP addresses to allow incoming or outgoing data packets. For example, enter
100.0.0.10,100.0.0.0-100.0.0.10, or use a wildcard*for all IP addresses. - Port or Port range — Enter a port number or range of port numbers that are allowed. For example, enter
8080,8080-8085, or use a wildcard*for all ports. - Port location — Specify whether the ports are Remote or Local. Local ports are ports on the device, while Remote ports are those on a remote server. For example, to allow connections to an FTP server at port 21, specify an allow rule with a Remote port location.
- Network interface — Specify the type of connection for which the firewall rule is applicable.
- Application — Specify a list of app package names to apply this allow rule. Leave the field empty to apply the rule to all connections on the device.
- Hostname (IP or IP range) — Enter an IP or a range of IP addresses to allow incoming or outgoing data packets. For example, enter
-
Deny rules — Add a new configuration for blocking network traffic.
- Hostname (IP or IP range) — Enter an IP or a range of IP addresses to block incoming or outgoing data packets. For example, enter
100.0.0.10,100.0.0.0-100.0.0.10, or use a wildcard*for all IP addresses. - Port or Port range — Enter a port number or range of port numbers that are blocked. For example, enter
8080,8080-8085, or use a wildcard*for all ports. - Port location — Specify whether the ports are Remote or Local. Local ports are ports on the device, while Remote ports are those on the server end point. For example, to block port 21 on the device from receiving connections, specify an allow rule with a Local port location.
- Network interface — Specify the type of connection for which the firewall rule is applicable.
- Application — Specify a list of app package names to apply this deny rule. Leave the field empty to apply the rule to all connections on the device.
To ensure devices are not locked out of your network, give the following apps packages explicit allow rules:
- UEM app package — Contact your UEM for details.
- KSP app package —
com.samsung.android.knox.kpu - Google services —
com.android.vending, com.google.android.gms
- Hostname (IP or IP range) — Enter an IP or a range of IP addresses to block incoming or outgoing data packets. For example, enter
-
Redirect rules — Add a new configuration for redirecting network traffic.
- Intended hostname (IP or IP range) — Enter an IP address or a range of IP addresses to automatically redirect data. Use a wildcard
*to apply the rule to all IP addresses. - Intended port or port range — Enter a target port number or a range of port numbers to automatically redirect data.
- Destination host IP — Enter the IP address of the target host to which all data packets are automatically redirected.
- Destination port — Enter the port number of the target host to which all data packets are automatically redirected.
- Network interface — Specify the type of connection for which the redirect rule is applicable.
- Application — Specify a list of app package names to apply this redirect rule. Leave the field empty to apply the rule to all connections on the device.
- Intended hostname (IP or IP range) — Enter an IP address or a range of IP addresses to automatically redirect data. Use a wildcard
-
Redirect exception — Add a new configuration to exempt network traffic from being redirected.
- Hostname (IP or IP range) — Enter an IP address or a range of IP addresses which won’t be redirected.
- Port or Port range — Enter a port number or range of port numbers which won’t be redirected.
-
Domain filter Add a new configuration to allow or deny connections to certain domains.
- Blocked Domains — Specify the domains to which access requests are denied. Domains can be entered as a comma-separated list of URLs. Partial URLs with a wildcard
*at the beginning and/or end of the URL are also accepted. - Allowed Domains — Specify the domains to which access requests are allowed. Domains can be entered as a comma-separated list of URLs. Partial URLs with a wildcard
*at the beginning and/or end of the URL are also accepted. - Scope of Domain Filter — Define whether the firewall blocks or allows connection requests from all applications or only specific applications.
- List of Applications to Apply Domain Filter To — If the scope of the domain filter is set to specific apps only, enter a comma-separated list of app package names to apply the domain filter.
- Blocked Domains — Specify the domains to which access requests are denied. Domains can be entered as a comma-separated list of URLs. Partial URLs with a wildcard
-
Prioritize Domain filters over allow and deny rules — Enable this setting to make domain filters take precedence over other firewall rules. Note that this would allow data packets if there is a specific allowlist rule for that domain in the Domain Filter. Data packets to non-allowlisted domains may still be blocked if there is a firewall deny rule for it.
Apply a firewall configuration profile
After you’ve created a firewall configuration profile, you can apply it to your devices. To do this:
-
Under Firewall and Proxy policy, set Enable firewall controls to True.
-
Enter the Name of firewall configuration to use.
-
On your UEM, save and assign this Knox Service Plugin managed configuration to your devices.
On this page
Is this page helpful?