> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. # Package Firewall policy > Configure how the Package Firewall responds to flagged packages, including block and warn actions, exceptions, restricted licenses, and minimum package age. The Package Firewall proxies package installations between your private registry and the public package indexes, evaluating each request in real time before download. Use a Package Firewall policy to control which installations are blocked or allowed. For packages that fail the policy, you can either block the download or allow it and record a warning in Package Firewall logs. Configure the Package Firewall policy to either block a package installation, or allow it and record a warning in Package Firewall logs. * **Block**: Prevents the package installation and returns an error. Select this action when you want to ensure the package never reaches your environment. * **Warn**: Allows the package installation and logs it as a warning event. Select this action when you want visibility without risking build interruptions. Endor Labs blocks or warns package installations based on the conditions you configure in the policy. * **Exceptions**: Specify packages to exclude from enforcement. When a package matches an exception, Package Firewall skips all checks and allows the installation. Exceptions override other conditions such as restricted licenses and minimum package age, making them useful for approved packages that must remain available for critical builds and package installation workflows. You can define exceptions for a single version, multiple versions, or a version range. For version ranges, the lower bound is inclusive and the upper bound is exclusive. If you do not configure version limits, the exception applies to every version of that package for the selected ecosystem. Exceptions apply only to the packages explicitly listed and do not cover transitive dependencies. If a transitive dependency is flagged, it is blocked even if the parent package has an exception. Add that package as a separate exception to allow its installation. * **Restricted licenses**: You can define a list of SPDX licenses that your organization considers restricted. If a package version matches one of these licenses, Endor Labs applies the configured policy action, helping enforce legal and open-source compliance at install time. * **Minimum package age**: Set a minimum number of hours that must pass after a version is published before it is considered safe. If a version is newer than this threshold, Endor Labs applies the configured policy action, mitigating risk from newly released packages. Endor Labs records every package installation request together with the action taken. See [Package Firewall logs](/integrations/package-firewall/#view-package-firewall-logs) to learn more. **License requirement** Ensure that you have the **Package Firewall** license to configure the policy. See [Licenses](/introduction/licenses) for more information. ## Configure the policy You can configure the Package Firewall policy to block or warn installations based on malware detection, exceptions, restricted licenses, and minimum package age conditions. The Package Firewall evaluates each package against the policy in the following order: **Exceptions → Malware → Restricted License → Minimum Package Age**. If a package is listed as an exception, all remaining checks are skipped. If a check matches and the action is **Warn**, the event is logged and the evaluation continues. If the action is **Block**, the installation is blocked and the remaining checks do not run. Before configuring the policy, set up a Package Firewall integration in your namespace. See [Package Firewall](/integrations/package-firewall/) for setup instructions. 1. Select **User menu** > **Policies & Rules** from the left sidebar. 2. Select **Package Firewall Policies**. 3. Under **Malware**, choose **Block** or **Warn** if malware is detected in the package. 4. Under **Restricted licenses**, search for and add the licenses you want to restrict. You can search by the SPDX name or identifier of the license. Choose **Block** or **Warn** when a package version declares one of the specified licenses. 5. Under **Minimum package age**, enter the minimum number of hours that must have passed since a package version was published before it can be installed. Choose **Block** or **Warn** when a version is newer than the specified threshold. 6. Click **Add Exceptions** to add packages that bypass the Package Firewall entirely, skipping all malware, license, and minimum-age checks for those installations. 7. Select the **Package manager**. 8. Enter the exact package name. 9. Optionally, toggle on **Specific versions** for the package, else all versions of the package bypass the Package Firewall and are installed without checks. * Select **Exact version** and enter the version to exclude from the Package Firewall. * Select **Version range** and enter the lower and upper bounds to exclude from the Package Firewall. The lower bound is inclusive, and the upper bound is exclusive. For example, a range of `1.1.3` to `3.0.0` matches version `1.1.3`, but not `3.0.0`. Select the plus icon to add more exceptions. 10. Click **Save** to save the exceptions. To update an exception, click the vertical three dots and select **Edit**. You can update the versions, package name, and package manager. To delete an exception, click the vertical three dots and select **Delete**. 11. Click **Save** to save the policy.