Trusted Zone blocked (Global rules seem not to work?)

Hi,

I have problems defining a working trusted zone.

The bug/issue

  1. What you did:
    I configured a Zone as trusted (10.0.0.0 to 10.255.255.255): I added that zone and then marked it trusted by using “Stealth Ports Wizard” (by the way, perhaps another name would be more suitable for that part).

  2. What actually happened or you actually saw:
    That action created a few rules (2 in global rules and application rules). But requests were blocked even after that (popup appears).
    E.g. ping to a trusted IP is blocked (ping to 10.0.x.y is blocked), a popup is displayed.
    Other requests are also blocked.
    The global rules seem not to work.

  3. What you expected to happen or see:
    Connections to and from Trusted zone should not be blocked.

  4. How you tried to fix it & what happened:
    For each application I created additional rules (I confirmed the popups).

  5. Details (exact version) of any software involved with download link:
    CPF 5.0.163652.1142 (perhaps I misspelled, but I could not copy it from the about dialog (-> perhaps this could be added?)
    OS: Win 7 x64

  6. Any other information you think may help us:

Your set-up

  1. CIS version, AV database version & configuration used:
    CPF 5.0.163652.1142 (perhaps I mistyped, but I could not copy it from the about dialog (-> perhaps this could be added?)
  2. Whether you imported a configuration, if so from what version:
  1. Defense+ and Sandbox OR Firewall security level:
    D+: Clean PC, no Sandbox
    FW: Custom policy, alert frequency medium
  2. OS version, service pack, no of bits, UAC setting, & account type:
    OS: Win 7 x64, no SP, UAC active
  3. Other security and utility software running:
    Avira
  4. Virtual machine used (Please do NOT use Virtual box):

Best regards,
Lysathor

[Edit: formatted to new bug report format]

Please include a screenshot of your Global rules.

Also please include 1 to 6 OS / Configuration info.

Thank you

Dennis

Your set-up 1. CIS version, AV database version & configuration used: 2. Whether you imported a configuration, if so from what version: 3. Defense+ and Sandbox OR Firewall security level: 4. OS version, service pack, no of bits, UAC setting, & account type: 5. Other security and utility software running: 6. Virtual machine used (Please do NOT use Virtual box):

Your set-up

  1. CIS version, AV database version & configuration used:
    CPF 5.0.163652.1142 (perhaps I mistyped, but I could not copy it from the about dialog (-> perhaps this could be added?)
  2. Whether you imported a configuration, if so from what version:
  1. Defense+ and Sandbox OR Firewall security level:
    D+: Clean PC, no Sandbox
    FW: Custom policy, alert frequency medium
  2. OS version, service pack, no of bits, UAC setting, & account type:
    OS: Win 7 x64, no SP, UAC active
  3. Other security and utility software running:
    Avira
  4. Virtual machine used (Please do NOT use Virtual box):

[attachment deleted by admin]

Can you show the definitions of WLAN1 and LAN1 networks? What IP address are you trying to ping when it gets blocked?

I added the configuration and result in as attachments.

[attachment deleted by admin]

There is peculiarity in CIS where it will show an address range (10.0.0.0- 10.255.255.255) as an address with address mask (10.0.0.0/10.255.255.255).

Can you make sure you defined WLAN1 as a range from 10.0.0.0-10.255.255.255 and not by address mask. Check by choosing to edit the WLAN1 network definition.

I am sure that I configured it correctly. See screenshot.
I also tried to use the address/mask option (10.0.0.0/255.0.0.0). Did not work.
I also tried to use the one address only (10.0.0.1). Did not work.
I also tried to use “Any”. Did not work (!!!).

I also tried another program that uses TCP instead of IPMG (I used vncviewer). Did not work.

The only way for me to avoid the popup is to create application rules. Global rules seem to have no effect.

[By the way, I already posted an answer before but it obviously did not show up here. Sorry for the delay.]

[attachment deleted by admin]

I also tried to directly define a global rule that should avoid the popup (see screenshot).

My conclusion still is: global rules do not work on my system.

[attachment deleted by admin]

I found that global rules work on my system when not allowing connection but blocking them.
If I block IPMG, I do not get any popup any more.

It seems that only the allow rules do not work.

[attachment deleted by admin]

What pop up do you get? A firewall alert stating ping.exe is trying to connect to IP address? That is what we expect as you are running the Firewall in Custom Policy Mode; it will then alert you for everything.

Other requests are also blocked.
What other reports do you mean? You have to be precise when filing a bug report. [/quote]

I already appended the popup I get. Will add it again.
Does that mean that in Custom Policy Mode global allow rules are ignored intentionally?

I did not talk about reports. I talked about requests (connections). I was talking about other applications trying to connect to the trusted network, e.g. vncviewer, that uses other protocol and ports. See attatchments.

It seems that I have not understood the custom policy mode. The text in the CIS dialog says
“You will get alerted aery time there is a connection attempted by an application unless your policy contains rules to trust the connection”.
To me it seems that it does this:
“You will get alerted every time there is a connection attempted by an application unless your policy contains rules to deny the connection”.
Perhpaps the text in the Firewall Security Level dialog is not correct?

Why are global allow rules ignored in custom policy mode and deny rules are not?
Would it not be more clearly if all the global rules would be handled the same way?
It would also be helpful if the global allow rules would use a grey color when not active instead of a green.

To summarize:

The bug/issue

  1. What you did:
    Create a trusted zone (with name WLAN1).
  2. What actually happened or you actually saw:
    Popups of connections to that zone still appear. E.g. “Ping.exe is trying to connect to the Internet”.
  3. What you expected to happen or see:
    Popups should be avoided because a global allow rule (greated by assigning a trusted zone) already accepts the connection. The automatically generated rule name is “Allow All Outgoing Requests If The Target Is In [WLAN1]” (WLAN1 is my trusted zone).
  4. How you tried to fix it & what happened:
    Accept the connection using the popup dialog and selecting “Remember”. But that means that I have to do that for every application that want to connect to that zone.
  5. Details (exact version) of any software involved with download link:
  1. Any other information (eg your guess regarding the cause, with reasons):
    It seems to me that Global Rules are ignore if they are Allow rules. Perhaps that is in conjunction with Custom Policy Mode.
    Manually creating global allow rules for my zone do not change the situation.
    Manually creating global deny rules for my zone do have effect (the popup does not show any more, but the connection is blocked).
    If defining the zone as a single IP, IP range, IP with mask, does not change the behaviour.

Files appended

  1. Screenshots illustrating the bug:
    Attached.
  2. Screenshots of related event logs or the active processes list:
  1. A CIS config report or file.
  1. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS: 5.0.167463.1142 (Perhaps I made a typo, but I could not copy&paste it from the about dialog).
    AV: -
  2. Whether you imported a configuration, if so from what version:
    No.
  3. Defense+ and Sandbox OR Firewall security level:
    D+: Enabled, SB: Disabled, FW: Custom Policy
  4. OS version, service pack, no of bits, UAC setting, & account type:
    Win 7 x64, UAC enabled, Accout: user
  5. Other security and utility software running:
    Avira.
  6. Virtual machine used (Please do NOT use Virtual box):

[attachment deleted by admin]

The behaviour you are describing is actually what can be expected of CIS. Firewall control rules work in two steps. For outgoing traffic it first goes through Application Rules and then through Global Rules. When using Custom Policy Mode you will be alerted for every application; it is how it is designed to work.

Global Rules do not trump Application rules. They work together but work separately.

If I understand you correctly you want not to be alerted for traffic to a trusted zone and be alerted for traffic to a non trusted zone.

I must admit that I still do not understand global rules. Is there a page where I can read how it works?
I thought that global rules overrule other rules. If I understand you correctly, that is not true.

What does “For outgoing traffic it first goes through Application Rules and then through Global Rules. When using Custom Policy Mode you will be alerted for every application” mean? Does it mean that for every outgoing connection attempt that is not covered by an application rule there will be a popup (even if global rules exist)? But that is not true. Global deny rules have effect.

Could you please explain why the popup shows up even if a global rule tells that all traffic to the trusted zone should be allowed? There is no application rule so I expected that (even regarding your explanation) the global rule should allow the connection and therefore avoid the popup.

Why does assigning a trusted zone generate global rules? There must be a situation when these rules have effect. What are these situations?

For me it seems that for allow rules application rules apply, global rules are ignored (see my bug report).
For me it seems that deny rules global rules override application rules (e.g. ping is allowed to a zone, global rule denies the zone → ping is blocked).

What I want is to create a trusted zone that is treated like the global rules make expect me: Allow all traffic from and to the trusted zone. The reason why I want this is avoiding to create many application rules.

Using the word trump is dangerous here as it can easily cloud the understanding. I will not use it anymore. The Global Rules trump but not how you assume. And the assumptions are what need to be cleared as you and I speak from different perspectives.

Global Rules and Application Rules work separately and after each other.

For a detailed description on how Global Rules and Application Rules work:
Global Rules
Application Rules

What does "For outgoing traffic it first goes through Application Rules and then through Global Rules. When using Custom Policy Mode you will be alerted for every application" mean? Does it mean that for every outgoing connection attempt that is not covered by an application rule there will be a popup (even if global rules exist)?
Indeed there will be a pop up. The Global Rules will be executed after the application rule.
But that is not true. Global deny rules have effect.
Global Rules do block as instructed. But they will block after CIS has followed the application rule for that program. Global Rules are generic rules about how to treat protocols, addresses and ports. With an application rule you tell exactly what a program can and cannot do.
Could you please explain why the popup shows up even if a global rule tells that all traffic to the trusted zone should be allowed? There is no application rule so I expected that (even regarding your explanation) the global rule should allow the connection and therefore avoid the popup.
These Global Rules get executed after and are separate from the application rule for the program. With the application rule you tell exactly what an application is allowed to do and what not. Global Rules are generic rules about how to treat protocols, addresses and ports. That is how CIS is structured.
Why does assigning a trusted zone generate global rules? There must be a situation when these rules have effect. What are these situations?
That is for the situation where a program is listening for traffic. The Global Rules for a trusted zone allow all traffic for that zone to come in, so a listening program can respond when it sees traffic meant for that program.
For me it seems that for allow rules application rules apply, global rules are ignored (see my bug report). For me it seems that deny rules global rules override application rules (e.g. ping is allowed to a zone, global rule denies the zone --> ping is blocked).

What I want is to create a trusted zone that is treated like the global rules make expect me: Allow all traffic from and to the trusted zone. The reason why I want this is avoiding to create many application rules.

If you want to avoid making many application rules then it is best to make a couple one or two custom policies that you can use as application rules for multiple programs.

Please try the following;

Go to Network Security Policy, Application Rules, Add, Select, File Groups, “All Applications”
Add an allow rule for IP IN source = WLAN1
Add an allow rule for IP OUT destination = WLAN1

See if that works?
As your running Custom the first note is “Only the traffic that adheres to your Network Security Policy is allowed”
As long as there are no (Application) allow rules for ICMP or “All” it will keep alerting you.

Hi all

Am assuming this is resolved. Please PM any active mod if it is not.

Best wishes

Mouse

Sorry for the delay. But you’re right, the problem is solved for me. After seeing the way how I can get what I wanted I wonder why I did not find out that by myself :wink:

Thank you all very much! :-TU