How to configure firewall exceptions for Google Chrome

Environment

• Knox Manage
• Android Enterprise
• Samsung device
• Google Chrome browser

Overview

When configuring the Firewall policy in Knox Manage, you may want to block or allow specific sites in a browser. For Google Chrome, additional configuration is needed, because the Google Chrome browser uses a DNS resolution method which overrides the addDomainFilterRules method in the Knox firewall package.

To block or allow specific sites on Chrome, the DNS resolution method needs to be prohibited or else the Firewall policy won’t take effect for the browser.

How to configure the firewall policy for Chrome

First, block the DNS resolution method:

1. On the Knox Manage console, go to Profile.

2. Create a new profile or modify an existing profile.

3. Expand the Samsung Knox > Firewall policy drawer and set Firewall to Enable.

4. Add the following rule to the Prohibited Policy (IP) policy:

   • Package Name — com.android.chrome
   • IP Address (range) — *
   • Port (range) — 53
   • Port Range — All
   • Network Type — All

5. Click + to add the rule.

Then, to configure the Firewall policy to allow specific sites on Chrome, block every site on every browser and allow specific sites on one browser only:

1. For the Permitted policy (Domain) policy, as needed, add a rule for each domain you want to allow:

   • Set Package Name to com.android.chrome.
   • Enter a domain in Domain address (range). You can include all subdomains by formatting the entry as *.domain. For example, to allow the main Google domain and all its subdomains, enter *.google.com.
   • Click + to add the rule.

2. For the Prohibited policy (Domain) policy, block all other domains:

   • Set Package Name to com.android.chrome.
   • Set Domain address (range) to *.
   • Click + to add the rule.

3. Click Save & Assign to save your changes and assign the profile to your device group.