ASK option on Firewall>Avanced>NSP>Global Rules...

…Hi, I need light on a question: Why on Network Security Policy>Global Rules on Firewall I cant create ASK rules, and why I cant create IGMP rules. I’ve see COMODO can monitoring this protocol but I cant control it.

Hi Ciaba - You can create ask rules: click Firewall>Advanced>Network Security Policy>(Locate and select the program that you want to create the rule for or Add it by browsing)>Edit. On the Application Network Access Control dialog either select the rule you want to modify and click Edit or click Add. On the Network Control Rule Dialog window there is a drop-down at the top with the choices “Allow” Block" and “Ask”. Set this to Ask to get a query for this program.
On this same dialog, if you select IP from the “Protocol” drop-down, you will see a new tab appear on the bottom section titled “IP Details”. The IGMP protocol is listed there.

I tnx U for info on IGMP now i’ve see ;)…but ASK question on Global Rules tab is not resolved…I cant create ASK rules there.

Right you are! I had not noticed that. I guess that you have to use the “Log” option to get feedback and that would happen only when you look at your Events log.

…k, I’ve changed thread title, now whait.

You can’t write a Global rule for Ask, but you can edit the rules for the processes that are the usual targets for incoming requests: svchost.exe, services and System Idle Process. Locate the entry for the above in the Firewall>Advanced>Network Security Policy, and click Edit. On the “Block and Log” rule, either edit this rule to “Ask” and log or just Ask. You may want to add a Block rule after the Ask rule in case of accident. The System Idle Process may not be on your policy list, but it can be added (click Add and from the dialog find and click Select and choose “Running Process”. SIP is the top of the list. This process is the target of incoming connection attempts from hackers, isp’s, Microsoft and advertisers, so make sure to write tight rules for it. You may want to use the predefined “Blocked Application” rule and edit it to include an Ask rule.

Hi ciaba,

the ask rules are not included in the creation of global rules because it is too risky. For explaining better:

The global rules have the absolute precedence in CFP3. If you create an allow rule it will be implied to all the programs, no matter what are the specific rules in the applications.
If you could make an ask rule in the global rules, and then you answered allow or deny (at the popup) this rule would be implemented immediately until you restart the pc. It would have permited or blocked the access to that protocol, port, etc. for all the applications. This in the worst ipotesis could lead in a security risk or a lock of the connection.

It’s neither a bug nor a mistake that ask rules are not included in the global rules.