"Remember my answer" option creates INADEQUATE (WRONG) application rules!


I’ve a question regarding adding rules by ticking off Remember my answer option inside Firewall Alert popup in CIS 5.12.

Please, see attached screenshot.

As you see the alert says my FTP server received a TCP connection from a remote host, specifically on port ftp(21). I understand that and agreed to create an application rule by ticking off “Remember my answer”.

Then I look at Application Rules list and strangly enough there appears to be a new rule for my FTP server:

Allow TCP In From IP In [ /] To MAC Any Where Source Port Is Any Destination Port Is Any

Why there is no port (21) information mentioned in that rule?

When I agreed to allow and create a rule regarding that specific connection I expected the FW to create an adequately specific rule for the application.

Why is CIS disregarding its own information about connections when creating these rules?

Is it supposed to be like that or is it a bug or something?

…because it sucks.


[attachment deleted by admin]

Try again with alert settings for firewall set to “very high”.

I noticed a strange behaviour with something similar.
I have set the alerts to very high. That way ALL differences have to be asked on their own!
Though, i did just allow a specific question with remember my answer, i did not get another question for something else later.

As you are using version 6 (i am back on version 5), make the test what happens.


I have always had Alert Frequency Level set up to Very High and I enabled alerts for every protocol too.
This is specifically WHY I asked the question. I expected the FW to create rules exactly according to the information it gives in the alerts.

I’d understand it would create such broad rule (for all ports) only when the alert level was set to Medium or lower. I thought this is why I can choose the Alert Frequency Level in the first place.

What is happening here?

Maybe FW creates rules on his own ignoring the Alert Frequency Level setting?

…but that would be, hum… stupid?

I just don’t understand this.

PS. I use CIS 5.3 updated to 5.12, not 6. See picture.

[attachment deleted by admin]

he is using v5

Yes, me too. We are on our way to discover a thing that i pushed out of mind by saying:
Its just me.

It happened in version 6.
I returned to version 5.
It happened again.

There is something actually wrong.

Now we need someone to currently confirm this with version 6.

I disovered it that way:
Temporary allow.

I erased rules for cmdagent exe.
Then i got asked to give a permission to reach DNS.
I should allways get at least 3 questions before cmdagent could connect to a real host.

This number wasnt met each time. Though, cmdagent connected even to several hosts.

This can be very dangerous if its about ingoing rules.

Here is the mods issue tracking system entry, though it needs to refer to ports too maybe

[M108] 6.0 2674 PR Firewall — When you allow a firewall alert, a rule is created for an IP mask, not the specific IP cri Replicated by mod or second user


ATM I’ve rated it Critical because of the security risk, and because I think it happens on all machines

That was the 2nd thing I wanted to ask.

Sometimes when I get an alert and choose a policy for the application (i.e. “Block all”), then check “Remember my answer” and click OK, I end up getting the exact same alert (same application, same connection data) from a split second to some seconds later, although the rule is present in the Application Rules window (I checked).

It’s possible that they are different alerts after all but not according to what the firewall alert popup text says - it displays same data and allows for the same choice.

It’s as if the new rules weren’t activated early enough or at all (?).

Strange part is that the policy sometimes IS activated even if I choose to “Cancel” in that repeated alert popup.
Weird things…

The problem with generic rules being created, when firewall settings are Custom Policy Mode and Alert frequency on Very High, has been going on for a long time. If I recall, I even created a bug report a year or so ago.

Images below are from 5.8…

[attachment deleted by admin]

Do you find the rules being made the same (generic, that is) if the network zone(s) being referenced is (are) Public? (I suspect not; and that would be proper then.)

Unfortunately, zone type makes no difference.

Huh; when I tested the latest released version, CIS made very specific rules for every app (including the System / svchost) when in Custom Policy Mode and Very High Alert level. I did notice that the earlier versions did not follow that suit though (seemed to depend on the Public / Non-Public and what type of protocol was being used). Curious …

Outbound rules are not an issue, it’s inbound where generic rules are created, regardless of the firewall settings.


I did a test just now and when it comes to OUTBOUND connections my CIS 5.12 indeed DOES what it supposed to (what I expect it to do): it adds a rule containing all the information I see in the popup alert, which are:
-the policy (allow or block),
-the connection direction (OUT),
-the PROTOCOL type,
-IP address (a SINGLE address, NOT IP/Netmask),
-proper PORT number.

it’s only when a rule for an INBOUND connection is created the FW does NOT insert any port information into it, and also it uses the IP/Netmask notation instead of a single IP address.

this looks rather a serious flaw, if you ask me.
or maybe it’s by design and as an administrator I should just KNOW about it?
but I don’t seem to remember any mentioning of this “feature” in the FW manual, though =P

anyway… can we expect it to be fixed now or what?
can someone who actually works on developing CIS give his thoughts about this issue?