I am using CIS v4.0.141842.828 on 64-bit Win7. CIS help, under Firewall Tasks|Advanced|Network Security Policy, says:
For Outgoing connection attempts, the application rules are consulted first and then the global rules.
For Incoming connection attempts, the global rules are consulted first and then application specific rules.
I did an experiment where I allowed trusted applications but blocking all IP out within the global rules. It had the effect of blocking all IP out for trusted applications also. Is this evidence that the global rules are applied before the application rules for outgoing attempts?
CIS 3.14 behaves consistently with the help documentation. Is this behavior of CIS 4.0 intentional?
Both version should act the same regarding the firewall policy, both the application and global rule needs to match in order for connections to work. E.G. if you created a global allow in rule to say port 21 for an ftp server application, you would aslo need to create an allow in port for that ftp server in application rules for it to accept connections. So, you having a block out rule under global rules, you are essentialy blocking all outgoing connections for all applications regardless of there application rules, therefore CIS is behaving properly.
I retested with CIS v3.14.130099.587 on WinXP Pro x86, where I blocked all IP out in the global rules. Just like with v4.0, it had the effect of blocking all IP out for trusted applications also.
My understanding of CIS’ firewall rules is that the first rule encountered that applies is used, and all rules following are ignored. If the help documentation were accurate, then I believe that an application rule for allowing IP out would be applied and a global rule blocking IP out would be ignored for the matching application. My testing indicates that global rules are consulted first for both outgoing and incoming attempts.
Your comments are consistent with global rules being applied before application rules for outgoing connection attempts.
Think of it as a 2 stage/layers of rules. Each list must be passed separately in order for a packet to be considered passed through.
As a rule is triggered/packet passed from one list it is then run down the next list, in both directions.
I reread the help documentation page again today. The beginning has the quote I put in the opening post. At the end of that very long page, it repeats this information and adds the subtlety mentioned by Bad Frogger. My suggestion to the Comodo documentation folks is to remove this incomplete info from the beginning so that readers wanting to know about global vs application rules will see the complete picture.