CPF Logs (V3.0.12.266 x32)[BUGREPORT]

Acer Aspire 1700
Windows XP Home Version 2000 Service Pack 2
Pentium 4 3.06ghz
3.05ghz of Ram
AVG 7.5 Anti Virus Professional

If you have two rules in firewall for one process it will log one only UDP first TCP second if you have both rules set to log if you wish to see TCP rule you have to stop the UDP rule logging.

This bug is still present in the latest version CPF
Does not matter what order you have the rules it will only log the UDP rule.

I don’t have this problem you described. Tested on eMule and Skype with these rules:



In each case there are log entries both for tcp and udp.

Can you please give detailed information?

My rules are a bit more specific, screenshot below.(AVG as server for E-mail)

Log screenshot below I received my e-mail 4 times, the first and the last as in rules screenshot only TCP to log.
The second and third with both rules set to log a you can see the TCP did not log only the UDP rule logged.

[attachment deleted by admin]

Don’t know about your email setup, but some comments:

  1. DNS lookups are normally cached, and not repeated until the cache rolls over
  2. TCP connections are persistent, so don’t always need to make a new one to send more data.
  3. I have noticed for browsers, where it is easy to see, that only a subset of the TCP connections to port 80 for a site (usually only the first one) are logged-I presume to cut down on log clutter.

So this may be a bug or a feature :slight_smile:

But you might take a look at what connections to your email server & DNS Server are actually shown in the list of connections.

Screenshot of active connections below as you can see both are active.

[attachment deleted by admin]

But from your email scenario, if these are not being reused, there should be multiple connects from multiple ports. Otherwise there is nothing additional to log. TCP dies in about 2 minutes of inactivity, UDP ? in CFP.

Screenshots below.
First:- two connections.
Second:- after 1 minutes
Third:- after 2 minutes

[attachment deleted by admin]

OK, looks like you definitely identified it as the “message declutter” feature. In a web browser, there might commonly be 6-8 TCP connections to a single page to access the various sections of the page-you can see them clearly in “Active Connections”. Only the first one is logged. And they all go to the same IP address and port, as you show. Looks like the same approach is used for email, maybe others?

Ok IIRC this was already reproduced a while ago.
Only one rule per ruleset can be logged.

But In order to let any member easily follow this topic please attach log screenshots that only apply to a specific ruleset (meaning the ruleset with two log) and only log one connection/session.

BTW IIRC All CFP application rules need to be closed with a block IP in/out rule or all unmatched trafic will be allowed. :o
You may wish to edit your current rulesets.

OFF TOPIC: if firewall is in custom policy mode and don’t have block IP in/out rule, there will be alert for any unknown request (some kind of “ask” rule, but better i guess ;D) for specific app.

So no real need in this rule except for WOS because for WOS there is no alert for unknown request but “silently allow”.

Another example of Message Declutter would be to log the Comodo Firewall Pro rule and then run Check for Updates. You get one single log entry for DNS. If you make two rules of it - one for UDP and one for TCP, you still only get one entry. If the rule is set to ASK, you get one DNS Alert and six Port 80 Alerts.I can only assume that six events are being dropped from the log for the ALLOW rule.


Oops I did not know that :-[

This issue should be fixed in 3.0.18

If not speak now or keep the secret forever. :slight_smile:

Sorry still there in CPF :frowning:
No log for TCP if UDP is set to log same app.
It’s not something I use all the time just if I have a problem with apps. connecting.

With UDP are you referring to DNS requests?


I have used Kerio since 2.3/2.4 (Packet Filters only)
Then Kerio 3/4 (NOT Sunbelt) got used to this feature in the logs.
As CPF3 does not appear to be able to log both events I will just have to use View Active Connections instead. :frowning:
You may close this topic if you wish
Thank All for your help

Did you disable DNS client service in order to test this?