CIS6: VPN network not recognized / added

Hi folks,

I have a new Win7 laptop where I turned off Windows firewall and installed CIS 6. I setup my home network 192.xxxx/255.255.255.0 as Public (not home or work). Then, I connect via VPN to another network 10.xxx and get no notification or no new network zone (I am using Cisco AnyConnect VPN client).

Firewall is in Custom Ruleset mode. Enable detection of private networks is checked.

Network Zones just show Loopback (127.xxx) and Public #1 network (for 192.xxxx).

I seem to be able to connect to things specific to VPN network, but now I have no idea what kind of protection I have??? Or what are the implications of this?

I see that similar issue was reported on https://forums.comodo.com/firewall-help-cis/vpn-not-detected-problems-with-fw-network-profiles-t92915.0.html;msg669330#msg669330 but there was no resolution.

Manage Networks only shows local (192.xxxx) network (as connected) and does not show VPN network (10.xxxx), even though I am clearly on VPN network, only able to connect to the sites and devices on that network and not to general Internet sites. Command Prompt shows both networks. Windows’s Control Panel → Networks shows both networks connected.

Would appreciate any help / ideas!

I don’t know why it doesn’t add that network. Seems like it should. I always either turn off detection or ignore all the network auto-detection stuff; I just create my own Zones as needed.

If you’re set to Custom Policy, then those rules should still apply. Can you make sure they still do? Maybe use a program you don’t have a rule for and try to connect to one of those 10.x.x.x addresses and see if the firewall prompts you.

Yes, I sometimes still get firewall asking me if I want to allow a program to connect to internet, including when I connect to one of the 10.xxx addresses. And when I look at Firewall Events log, I see that all “Out” events originate from 10.xxxx IP address while I am connected to VPN network. I am still confused though why I don’t have any network setup for 10.xxxx and the firewall does not seem to care.

I am not sure I even need to create any Zones manually since apparently things work without them - very strange / suspicious as to whether my setup is good…

Someone correct me if I’m wrong, but isn’t the only point of detecting networks is for Comodo to auto-create some zones and possibly apply auto-create some rules based on if the network’s considered “home / safe” or “public / dangerous”?

If that’s the case, are auto-detected networks even used if you’re in Custom Policy mode? I thought the point of Custom Policy was for you to make all the rules yourself, and if that’s the case what would be the point of auto-detecting networks? Just to add a new zone for convenience?

It sounds like your custom policies are still applying, but you might want to rethink some of your rules. If you have an app that you want to be able to chat with the general internet and added a rule like “Allow IP from any IP address to any IP address” but you don’t want it to chat with servers on the VPN, you’ll want to add a “deny” or “prompt” type rule above that big allow-rule.

Thanks FwFan, I wonder if someone can confirm your theory that this is the intended behavior…

As for adding first ask / deny rule - would not it apply to All cases then? In other words, it would not distinguish regular internet connection vs VPN one, right? So, then I might as well remove the rule completely… ? (if I wanted the “ask” behavior)

Oh I still don’t think it’s intended behavior :slight_smile:
If you’ve got the “detect networks” option checked and they aren’t being detected, that sounds like a bug.
I think it should at least auto-define a new zone for you.

No, adding an Ask rule wouldn’t neccesarily make it pointless. What I’m thinking is like:

app.exe:
Ask IP to 10.*
Allow IP to *

That’d have it prompt for traffic going to your VPN network, but just auto-allow to everywhere else.

A better way of doing that takes slightly more effort is to define a zone named “VPN” that has that VPN’s network range in it (ie: 10.1.1.0 - 10.1.255.255), then make all your rules refer to that zone. That gives you 2 benefits: if your VPN’s network ever shifts to a different IP range, you can just change it in the one place AND when you go back and look at your rules a year from now they’ll make more sense.

I tried setting Firewall to Safe mode and I observed the same behavior.

I think I see what you mean regarding the rules. Thanks for the explanation.

I see the same issue with CIS v7, the VPN network zone is not detected.

There are issues with CIS Firewall and Cisco AnyConnect. I opened this bug, hopefully Comodo will fix it soon:
https://forums.comodo.com/format-verified-issue-reports-cis/cisco-anyconnect-vpn-does-not-allow-vpn-traffic-v7m940-t102949.0.html

CIS 7 firewall has serious issues I keep getting “Windows Operating System” traffic blocked which you cannot overule on port 0. TO my knowledge this is s default gateway, which are not detected.

https://forums.comodo.com/firewall-help-cis/why-would-windows-operating-system-try-to-access-internet-t100737.0.html
Reply #12