Enterprise admins can control which websites and network destinations Computer's sandbox can access during task execution.
The Network Firewall Policy settings allow admins to restrict outbound network traffic from Computer sandboxes using allow and deny rules.
This is especially useful for organizations that need to prevent Computer from accessing or taking action on specific websites — for example, posting content on social media platforms like X, Reddit, or LinkedIn.
How to Configure Network Firewall Policy
Navigate to Organization Settings in the admin panel.
Select the Computer Configuration tab.
Locate the Network Firewall Policy section.
Settings Overview
Enable Network Firewall Policy
This is the master toggle for the entire firewall. When enabled, sandbox network access is restricted based on the rules you configure. When disabled, Computer sandboxes have unrestricted outbound internet access.
Allow General Internet Access
This toggle controls whether Computer sandboxes can make any outbound internet requests. This setting is all or nothing:
Enabled — Computer sandboxes can reach the internet freely (subject to any Allowed Domains or Denied CIDRs rules you configure).
Disabled — All outbound traffic from Computer sandboxes is blocked entirely.
Allowed Domains
A targeted allowlist of specific domains that Computer sandboxes can access. This field supports wildcard entries (e.g., *.pypi.org). Use this when you want to permit access to only the sites Computer needs for your workflows — particularly useful when Allow general internet access is disabled, so that only explicitly approved domains are reachable.
Denied CIDRs
A targeted denylist of IP/CIDR ranges that are explicitly blocked from outbound access. For example, entering 0.0.0.0/0 denies all outbound traffic by default. Use this to block specific IP ranges while keeping broader internet access enabled.
How the Rules Work Together
The firewall provides layered control rather than a single all-or-nothing switch. The Allow general internet access toggle sets the baseline, while the Allowed Domains and Denied CIDRs lists provide targeted, granular overrides.
Configuration | Behavior |
General access ON, no allow/deny rules | Computer can access any website freely. |
General access OFF, no allow/deny rules | All outbound traffic is blocked. Most restrictive setting. |
General access ON + Denied CIDRs | Computer can access the internet broadly, but specific IP ranges you define are blocked. |
General access OFF + Allowed Domains | Only the specific domains you whitelist are reachable; everything else is blocked. Ideal for tightly controlled environments. |
Example: Blocking Social Media Posting
If your organization wants to prevent Computer from posting on social media platforms, you have two options:
Option A — Block specific platforms (broader access preserved):
Enable the Network firewall policy toggle.
Keep Allow general internet access enabled.
Add the CIDR ranges associated with the platforms you want to block to the Denied CIDRs list.
Option B — Allow only approved sites (strictest approach):
Enable the Network firewall policy toggle.
Disable Allow general internet access.
Add only your organization's approved domains to the Allowed Domains list (e.g.,
.yourcompany.com,.googleapis.com).
Option B ensures Computer can only reach explicitly approved destinations, making it impossible to interact with any unapproved site.
How This Differs from Comet Browser Configuration
Comet's enterprise configuration offers distinct controls such as read-only, browser control, and fully blocked modes that govern the Comet browser experience on managed devices. You can learn more about Comet for Enterprise in this article.
Computer’s network firewall policy operates at the sandbox network layer: it controls what Computer’s cloud-based sandbox can reach over the network, rather than a user’s local browsing experience. These are complementary but separate controls.
| Computer Firewall Policy | Comet Browser Configuration |
Scope | Cloud sandbox network traffic | Local browser on managed devices |
Granularity | Allow/deny domains and CIDRs; all-or-nothing internet toggle | Read-only, browser control, fully blocked modes |
Purpose | Restrict what Computer agent can access during task execution | Restrict how users interact with web content locally |
Important Notes
All Computer tasks run in a secure, isolated cloud sandbox — firewall rules apply to this sandbox environment, not to the user's local machine or network.
Changes to the firewall policy apply to new Computer tasks. Tasks already in progress may not be immediately affected.
Admins retain additional controls including the ability to disable Computer entirely, manage connectors, and restrict Computer access to specific members from Organization Settings.