CIS-Firewall not logging some events


In short, I’m trying to log RDP (RemoteDesktop) connections to a machine until I’m confident that I’m configured properly to turn such logging off. In spite of Network Security Rules that I believe should allow a particular machine (or group of machines) to RDP into the target machine while logging same, I’m getting no logging of that activity (other activity (non-RDP) is logged), but I am sometimes getting the Alert, which has been set to Allow-Remember. I’ve read the User’s Guide cover-to-cover. I’m attaching excerpted captures of Gobal Rules, Application Rules, and Log Settings.

I have referred in Rules to two Zones. 1st Zone selects 1st by MACAddr, 2nd by HOSTNAME and should identify one machine precisely. 2nd Zone selects by IPAddr with Submask and should select an entire corporate network.

I wonder whether the Remembered Alert response is short-circuiting my Network Rules.

Thanx in advance for your help.

[attachment deleted by admin]

Correct me if I am wrong, you want to log incoming connections on the machine that you have posted screen shots of. If so, one thing that stands out is your svhost application rules rule #3 is overriding the last rule, you need to move the ‘Allow And Log TCP In From IP In’ to above the ‘Allow TCP In From IP Any’ assuming you want to log incoming from that IP address space to that machine. Also what network zone name is that pc part of as fas as its mac and/or IP address, Dale’s Office Machine, IFOX Corporate Network, both, or neither. I just need a better understanding of the machine you are trying to configure, if you could, can you post a screenshot of your network zone? If you want to hide the mac/Ip addresses of the network zones, just make sure you identifiy what each entry is in each network zone e.g. ‘This a Mac address…’, ‘This is an IP address…’.

I grant the last SVCHOST ApplRule should never fire. It was originally placed to Allow-Log from (the local Router) as a last resort to log events from the Router for the sake of develping my understanding of the traffic. I began to question whether CIS was seeing my remote machines IP/MAC/HOSTNAME at all as it wasn’t logging the RDP Connections that were being allowed.

The Target PC is part of the LAN. Dale’s Machine is identified by both MAC, and HOSTNAME and is part of a remote network. Corporate Network is defined by IPAddr/Submask, only. Though CIS wouldn’t be aware of it, both Dale’s Machine and Corporate Network are part of the remote (source of RDP Connection) network. I had been using the Corporate Network Zone as it allowed the remote IPAddr to vary and still connect successfully, though it didn’t provide the precision I desired. I just defined Dale’s Machine in an attempt to provide the precision that Corporate Network disallowed. I believed I had been using the IPAddr/Submask to successfully Allow the RDP connection until recently when the POPUPs seem to have begun intermittently.

Since my original posting, concerned that I had active RDP connections from my remote machine showing that should have ended, and would not Terminate, I rebooted the target machine. Following the reboot, the logging is working. Unfortunately, I’m not sure whether it’s logging from the fired Global Rule, or the Application Rule(s). I presume the Global Rule. It would be nice if the logging included some ID to resolve such questions.

This particular issue has made me question whether the RDP connection is “unsolicited”, and therefore passing thru Global Rules 1st, or whether it’s the response to the SVCHOST application, passing thru AppRules 1st. Since it’s working again, I believe it’s the former.

Thanx for your feedback.