Does the Network Threat Protection firewall have an equivalent to the LocalSubnet alias you can use when configuring Windows Firewall? I'd like to restrict NetBIOS file/printer sharing to the local subnet and possibly additional trusted subnets, but I don't want to have to set up separate policies for each of my dozens of subnets.
Additionally, the documentation seems ambiguous on the "Enable NetBIOS protection" check box. On the Traffic and Stealth Settings page, the description is: "Prevents a client computer from receiving NetBIOS packets that originate from computers located on a different subnet."
In the Client Guide pdf, the description is:
Blocks the NetBIOS traffic from an external gateway.
You can use Network Neighborhood file and printer sharing on a LAN and protect a computer
from NetBIOS exploits from any external network. This option blocks the NetBIOS packets
that originate from the IP addresses that are not part of the defined ICANN internal ranges.
ICANN internal ranges include 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.x.x, with the
exception of the 169.254.0.x and 169.254.255.x subnets. NetBIOS packets include UDP 88,
UDP 137, UDP 138, TCP 135, TCP 139, TCP 445, and TCP 1026.
Does it block other subnets or "Public" subnets? If the former, how can I allow additional ones?
I've tried configuring rules on those ports to allow incoming from subnets 0.0.0.0/255.255.255.0 and/or 0.0.0.0/0.0.0.255, but I can't make it work.
Any guidance would be greatly appreciated.