Endpoint Protection firewall blocks network traffic for Windows Subsystem for Linux v2 and Windows Sandbox

book

Article ID: 221329

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security

Issue/Introduction

When using Windows Subsystem for Linux version 2 (WSL2) or the Windows Sandbox feature within Windows 10, network connections to external hosts fail.  The Endpoint Protection (SEP) firewall shows a remote connection block for the WSL2 or Windows Sandbox IP address.  

Cause

The SEP firewall uses multiple drivers to track running applications and network connections on Windows systems.  Both WSL2 and Windows Sandbox use Hyper-V technology to create a NAT'd connection from the host NIC to the guest NIC via virtual switches.  From a networking perspective, these are basically Hyper-V virtual machines.  The applications run within a guest VM and cannot be tracked by drivers running on the host operating system.  So for the SEP firewall running on the host operating system, this traffic will appear as unsolicited IP traffic and will be blocked.   

For Example

On WSL2, if you attempt to check for updates via apt, the outbound traffic from the host NIC will be blocked. 

8/6/2021 11:10:39AM Blocked Outgoing TCP security.ubuntu.com [91.189.91.39] A0-36-9F-29-88-86 80 192.168.2.208 24-5E-BE-42-05-55 Block all other IP traffic and log 

Even if you allow all outbound traffic for the host IP address, the response from the repository going back to the WSL2 NIC will still be blocked.  

8/6/2021 3:55:35PM Blocked Incoming TCP 192.168.40.23 00-15-5D-AA-5A-65 51658 91.189.91.39 00-15-5D-83-DF-08 80 Block all other IP traffic and log 

In addition, WSL2 and Windows Sandbox use dynamically generated network addresses each time they are launched, so any firewall rules created will need to be modified each time you use these features.  

Resolution

In order to allow traffic to your WSL2 and Sandbox instances, create a firewall rule to allow both the host MAC address and the WSL2 / Windows Sandbox MAC address as a source.  Put this rule above the "Block all other IP traffic" rule. 

Note:  This rule will need to be updated each time you start WSL2 or Windows Sandbox.  

Alternatively, you can disable the firewall policy or uninstall the firewall feature from the product. 

Additional Information

ESCRT-7049

Attachments