Restrict network access for Windows Airwall Agents and Servers users (Lockdown mode)

You can configure Windows Airwall Agents and Servers to run in Lockdown mode, which restricts access to network resources not explicitly allowed by Conductor trust policy.

  • This setting will be replaced when Windows Airwall Agents and Servers are updated and can use bypass settings.
  • Lockdown mode is a global setting that applies to all Windows Airwall Agents and Servers on the Conductor.

To set up lockdown mode

  1. Go to Settings > Global Airwall agent settings.
  2. Select Edit Settings.
  3. On the Advanced page, scroll to Lockdown mode.
  4. Check Enable lockdown mode on compatible Airwall agents.
    Lockdown mode section of Settings showing how to enable
  5. Select Save.

If you want to allow some level of access outside of the secure network, you have a few options:

  • Allow users to override Lockdown mode on their device – Check Allow users to disable lockdown mode on Airwall agents. Users can then disable lockdown mode from their device. Select Save.
  • Provide Internet access – Under Lockdown mode egress gateway, select an Airwall Gateway that has been configured as a bypass (egress) gateway. Select Save. Any traffic that is not allowed by trust policy is then sent to the bypass gateway and can reach the Internet.
    • To set up a bypass gateway, you must configure an Airwall Gateway with an overlay port group that can route out to the Internet. In most cases, you must also set SNAT on that port group. For more details, see Configure an Airwall Gateway as a Bypass gateway.
  • Exempt specific resources from lockdown mode - This option gives you the ability to allow access to certain resources without trust policy:
    1. Next to IPs exempt from lockdown mode, select the + (plus).
    2. For each exemption, specify an IP address, a protocol and direction, and, optionally, a port.
    3. Select Save.
    Once set, local traffic matching the IP and protocol is allowed.