Skip to content

firewall_policy

This resource allows management of CrowdStrike Firewall policies. A firewall policy defines the firewall settings and rule groups that apply to hosts in assigned host groups.

The following API scopes are required:

  • Firewall management: READ
  • Firewall management: WRITE
terraform {
required_providers {
crowdstrike = {
source = "registry.terraform.io/crowdstrike/crowdstrike"
}
}
}
provider "crowdstrike" {}
# Basic firewall policy for Windows
resource "crowdstrike_firewall_policy" "windows_basic" {
name = "Windows Firewall Policy"
description = "Basic firewall policy for Windows endpoints"
platform_name = "Windows"
enabled = true
# Policy settings
default_inbound = "DENY"
default_outbound = "ALLOW"
enforce = false
monitor_mode = false
local_logging = false
}
# Firewall policy with rule groups attached
resource "crowdstrike_firewall_policy" "windows_with_rules" {
name = "Windows Web Server Policy"
description = "Firewall policy for Windows web servers with rule groups"
platform_name = "Windows"
enabled = true
rule_group_ids = [
crowdstrike_firewall_rule_group.web_servers.id,
]
}
# Firewall policy with host groups attached
resource "crowdstrike_firewall_policy" "linux_servers" {
name = "Linux Server Policy"
description = "Firewall policy for Linux servers"
platform_name = "Linux"
enabled = true
host_groups = [
"abc123def456", # Replace with actual host group ID
]
rule_group_ids = [
crowdstrike_firewall_rule_group.linux_rules.id,
]
}
# Mac firewall policy
resource "crowdstrike_firewall_policy" "mac_endpoints" {
name = "Mac Endpoint Policy"
description = "Firewall policy for Mac endpoints"
platform_name = "Mac"
enabled = false # Disabled by default
}
# Example rule group to attach to policy
resource "crowdstrike_firewall_rule_group" "web_servers" {
name = "Web Server Rules"
description = "Rules for web server traffic"
platform = "Windows"
enabled = true
rules = [
{
name = "Allow HTTPS"
description = "Allow inbound HTTPS traffic"
enabled = true
action = "ALLOW"
direction = "IN"
protocol = "TCP"
local_port = [{ start = 443, end = 0 }]
}
]
}
resource "crowdstrike_firewall_rule_group" "linux_rules" {
name = "Linux Server Rules"
description = "Rules for Linux servers"
platform = "Linux"
enabled = true
rules = [
{
name = "Allow SSH"
description = "Allow inbound SSH traffic"
enabled = true
action = "ALLOW"
direction = "IN"
protocol = "TCP"
local_port = [{ start = 22, end = 0 }]
}
]
}
output "windows_policy_id" {
value = crowdstrike_firewall_policy.windows_basic.id
}
output "linux_policy_id" {
value = crowdstrike_firewall_policy.linux_servers.id
}
  • name (String) Name of the firewall policy.
  • platform_name (String) Platform for the firewall policy. One of: Windows, Mac, Linux. Changing this value will require replacing the resource.
  • default_inbound (String) Default action for inbound traffic. One of: ALLOW (shown as “Allow all” in the console), DENY (“Block all”). Defaults to DENY.
  • default_outbound (String) Default action for outbound traffic. One of: ALLOW (shown as “Allow all” in the console), DENY (“Block all”). Defaults to ALLOW.
  • description (String) Description of the firewall policy.
  • enabled (Boolean) Enable the firewall policy.
  • enforce (Boolean) Enforce this policy’s rules and override the firewall settings on each assigned host. Disables native firewall rules. When false, the policy’s rules are not applied.
  • host_groups (Set of String) Host group IDs to attach to the policy.
  • local_logging (Boolean) Save a record of all firewall rule events on the host’s local drive to allow for easier troubleshooting.
  • monitor_mode (Boolean) Enable monitor mode (labeled “Monitor mode” in the Falcon console). Overrides all block rules in the policy and turns on monitoring, allowing all traffic while showing block events as “would be blocked.” Requires enforce to be true.
  • rule_group_ids (List of String) Firewall rule group IDs to attach to the policy. Order determines precedence (first has highest priority).
  • id (String) Identifier for the firewall policy.

Import is supported using the following syntax:

Terminal window
# Firewall policies can be imported by specifying the policy ID.
# The policy ID can be found in the CrowdStrike console or via the API.
terraform import crowdstrike_firewall_policy.example abc123def456789