Update Blocks Application

Hello,

I installed the update this morning and find that a component of my firm’s firewall no longer functions unless I turn the Comodo firewall off.

Clearly, a rule was affected by the update. When I look at the appplication rules, I cannot see anything that would account for this change. I added all of the executables to the “approved” list, but that made no difference.

However, I cannot see where these new rules are in Comodo.

Can you please tell me where all of the rules are located?

Thanks.

Jon

Welcome to the forums.

Network Monitor - Network Rules
Application Monitor - Application rules
Component Monitor - Component rules (used by applications)

I’m thinking that the logs will be your friend here. Might I suggest exporting and pasting a copy of your logs here?

What exactly do you mean by a component of my firm’s firewall no longer functions?

The workstation on which Comodo is installed is the workstation from which I control our Watchguard Firewall. While all other functions appear to be normal, the WebBlocker component (which controls which sites cannot be accessed) no longer works when Comodo is running.

The Watchguard system reports that the WebBlocker server “is not installed”. I found the server executable file and created a rule allowing it.

However, the result is the same.

I’ll check the logs and see if I can find something. I hope you can understand my relcutance to post them unless I have to.

However, my other questions still remains: where can I see all of the rules that are in place for all of the applications on this workstations?

I should point out that I am testing Comodo for use on a number of my mobile users and want to be sure that they will have a minimum of problems. That’s why I am trying to stress it using this particular workstation.

Thanks.

Jon,

Did you reboot the workstation after adding the rule for the WebBlocker? If not, you might find that helpful. You might also edit that rule, go to the Miscellaneous tab, and check the box to “Skip Advanced Security checks” for that application. OK. Reboot.

The logs will show what applications/network connections, etc are being blocked. When you export to HTML, you can cut & paste the text into your post, and mask/remove IP & and any other personal/sensitive information. Alternately, you can look through the logs for blocked applications, as that is probably where the problem is, or do the following:

Go to Security/Advanced/Miscellaneous, and move the Alert Frequency slider to High or Very High. OK. Reboot. This way you’ll see alerts when Watchguard files try to connect, and can automatically create rules by selecting “Remember” and clicking Allow. This will be IP and even Port specific; you can Edit the App Rule later to tone it down if you want. Note: Be sure to allow any svchost.exe popups, or you’ll effectively terminate your connection by blocking dns, dhcp, and whatnot, from updating.

For your last question, CPF does not create a list of applications on your computer; it responds when an application is trying to connect to the internet. Obviously, you will find those apps that you have allowed (or denied) in the Application Monitor. Some applications (such as Internet Explorer, Outlook Express, etc) are on an encrypted safelist (not accessible) and will not show alerts, unless you do the following:

Go to Security/Advanced/Miscellaneous, and uncheck the box “Do not show alerts for applications certified by Comodo.” OK. Reboot.

Hope that helps. Now back to m0ng0d…:wink:

LM

Many thanks for your suggestions!

I’ll give them a try and let you know what happens.

Cheers!

Jon

Hello,

All appears well now!

First, I checked and found that all application and component rules were “allowed.”

Then, I opened the log. (The IP address of the firewall has been excised along with unrelated entries) Here’s what I saw:

Date/Time :2007-01-23 09:51:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = , Port = 5003)
Protocol: UDP Incoming
Source: :1031
Destination: 10.0.2.180:5003
Reason: Network Control Rule ID = 5

Date/Time :2007-01-23 09:50:50
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = , Port = 5003)
Protocol: UDP Incoming
Source: :1031
Destination: 10.0.2.180:5003
Reason: Network Control Rule ID = 5

Date/Time :2007-01-23 09:50:44
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = , Port = 5003)
Protocol: UDP Incoming
Source: :1031
Destination: 10.0.2.180:5003
Reason: Network Control Rule ID = 5

Date/Time :2007-01-23 09:47:40
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = , Port = 5003)
Protocol: TCP Incoming
Source: :18800
Destination: 10.0.2.180:5003
TCP Flags: SYN
Reason: Network Control Rule ID = 5

Date/Time :2007-01-23 09:47:40
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = , Port = 5003)
Protocol: TCP Incoming
Source: :17633
Destination: 10.0.2.180:5003
TCP Flags: SYN
Reason: Network Control Rule ID = 5

Date/Time :2007-01-23 09:47:40
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = , Port = 5003)
Protocol: UDP Incoming
Source: :1031
Destination: 10.0.2.180:5003
Reason: Network Control Rule ID = 5

Looking over at the Network Monitor for the rules there, I found rule 5 to say something like " Block all proto to and from any IP"

I removed the rule and waited. Almost immediately, I got a popup for a “service.dll” which I allowed.

I then performed a check and found that the Web filtering service was performing normally and no errors appeared in the traffic monitor.

Many thanks for your patience and excellent support. I look forward to learning more about this increasingly impressive product.

Jon

Jon, you’ve got to put that Rule ID 5 back! That is your safety net! If you know that need to allow those incoming UDP & TCP connections for Watchguard, then you can create specific rules (above that bottom block & log rule) to specifically allow those IP/Port combos Inbound traffic. But you’ve gotta keep that rule in place; otherwise your computer is open to allow ANY INBOUND TRAFFIC!

Here’s an explanation of CPF’s layered rules, and how it filters through the network rules. That should help you have a better understanding of how it works. https://forums.comodo.com/index.php/topic,5372.0.html

LM

I think it might be simpler…

If he only had the default 0-5 (6) rules, then he never had the rules for a trusted zone… i.e. his LAN. With his LAN untrusted, it would have been as if he had no network access.

You need Rule 5 as your “if you have not passed the above rule network shaping, you are undesirable traffic; begone” rule. Without it, network rules are basically disabled. The Network rules audit all traffic in a check-list type fashion (from the top of the rules to the bottom) until it either finally finds a rule that allows it, or hits the dead end at the bottom and is denied.

All you needed to do was ensure a Zone was defined (your LAN range), then run the Add Trusted Zone wizard to create 2 more rules that support/allow your LAN’s traffic.

I’d like to recommend 2 sources of information for you:

  • for a quick overview of the install options (including trusted zones) watch this video
  • for a deeper understanding of what Network Rules are all about read this How-To

You’ve been greeted by an awesome powerful feature of CPF that is completely foreign to the other wanna-be firewalls. Once you learn it’s secrets, you will appreciate it immensely.

I’m gonna go out on a limb (exposing my limited knowledge) and try put this into some hardware firewall lingo that might shine some light on this. My limited experience is with a SonicWall appliance, but I am hoping there are some similarities to your WatchGuard appliance. First protocols and service groups are defined to each interface (WAN for example) as to what it will allow, then rules are put in place that govern WAN->LAN traffic, LAN->WAN traffic, etc… These initial steps shape the network traffic. This is basically what CPF is trying to achieve in one interface called the Network Rules. And if you look closely at the bottom of the firewall rules, there will be a default catch-all Block rule as well; very familiar but a previously foreign concept to software firewalls (until now).