Understanding how CIS Firewall Rules Work

I’d like to gain a better understanding of how the CIS firewall works. To that end, I have some questions:

  1. All outbound traffic will first go through the application firewall rules, and then also go through the global firewall rules, correct?

  2. In this way, if an application firewall rule allows outbound traffic from an application via TCP to IP xyz, then there must also be a corresponding global firewall rule to allow outbound TCP traffic to IP xyz, or the traffic will be blocked, correct?

  3. If the first application firewall rule includes application abc.exe, and the second application firewall rule also includes application abc.exe, will both application firewall rules fire, or just the first? Furthermore, if a block rule fires in the first application firewall rule, will the second firewall rule fire?

  4. If the “Filter loopback traffic” option is enabled, does that then require a corresponding allow rule in the application firewall rules and the global firewall rules before loopback traffic is allowed?

  5. What precisely does the “Do protocol analysis” option do? For instance, will it only allow HTTP traffic that adheres to the HTTP specification? And if so, outbound, inbound, or both?

  6. Is there any way to block outbound IPv6 traffic within the CIS Firewall?

  7. All inbound traffic will first go through the global firewall rules, and then also go through the application firewall rules, correct?

Thank you,


  1. Yes
  2. As long as there is no blocking rule it would be allowed so you really don’t need to specify an allow out rule in the global rules.
    3.Rules are processed from top to bottom as listed so once a matching rule is found no other rules will be checked.
    4.Only in application rules.
    5.Protocol analysis checks only Internet layer protocols (IP, ICMP, IGMP) and transport layer protocols (TCP, UDP) and checks both incoming and outgoing packets.
Do protocol analysis - Protocol Analysis is key to the detection of fake packets used in denial of service attacks. Checking this option means Comodo Firewall checks every packet conforms to that protocols standards. If not, then the packets are blocked (Default = Disabled).
6.Yes by specifying either source and/or destination IPv6 address. 7.Correct

Thank you very much for your clear and thoughtful answers to my questions, futuretech!

I have reinstalled CIS and I am now allowing the CIS executables access to the internet. However, I’m now seeing some strange behavior that I’d like to understand better:

  1. Though I have confirmed that I am running in the “Custom Ruleset” mode, and that the “Create rules for safe applications” option is disabled, CIS seems to be creating new application firewall rules and global firewall rules entirely on it’s own. For instance, CIS seems to create application firewall rules for the application, “System”:
    • Allow System to Send Requests if The Target Is In []
    • Allow System to Receive Requests if The Sender Is In []

Additionally, CIS seems to create these global firewall rules:
• Allow All Outgoing Requests if The Target Is In []
• Allow All Incoming Requests if The Sender Is In []

Now, in and of themselves, these rules are actually in keeping with my intent, but what I do find somewhat disturbing is that CIS seems to be creating these rules in contravention of the disabled “Create rules for safe applications” option, without any interaction with me, and particularly since these precise rules seem unnecessary and redundant, as I’ve already created other rules which allow this communication. For instance, I already have the same application firewall rule logic in place for the “System” application, but as part of a file group containing various Windows System applications/executables. Additionally, I also already have global firewall rules with the same firewall rule logic, only they’re further down the list – specifically after the 5 default rules created by CIS upon installation which Block ICMPv4 traffic in different situations (by the way, what are these 5 default rules for?). Anyway, why is this occurring, and is there any way to prevent it?

  1. After having selected the “Trust Network” option for my private network in the “Manage Networks” window, I will occasionally find that this option is no longer selected. Why is this occurring, and is there any way to prevent it?

As always, thank you!


  1. it is because of the new background detection of network, where it will detect the first network you connect to and set it to Home by default which when you normally choose Home in network detection alert it creates those rules, which is the same as selecting trust network in manage network task. I brought this up so that it should follow what is set when you have do not show alerts treat network as option in the network zones firewall settings.
  1. If you delete the auto-generated rules for when the network is trusted then yes I have notice trust network is not selected anymore.