Firewall "Error: nonexistent zone"

[jimmerthy 0]

I run Internet Security with Interactive Mode firewall on several computers.

When I apply "Trusted Zone" as a remote IP constraint in a firewall rule, it shows up as "Error: nonexistent zone" in the "Remote" column of the table of firewall rules.

What's going on?

Thanks

[Marcos 5,070]

Please provide some screen shots for clarification.

[jimmerthy 0]

Added screenshot as requested.

[zamar27 5]

Did you mark any of your LAN or WiFi adapter profiles (network connections) as Private in Windows Settings - Network & Internet - Adapter Type - Adapter Name - Profile, or Eset Setup - Network protection - Connected Networks - Properties?

Edited May 6, 2019 by zamar27

[itman 1,659]

It appears you have never setup any network adapter connection in Eset. Note that your Eset Firewall Zones screenshot is empty. At a minimum, Local and DNS addresses section should be showing IP addresses:

Refer to the below screen shot to determine if any discovered network connections exist:

Edited May 6, 2019 by itman

[zamar27 5]

32 minutes ago, itman said:

It appears you have never setup any network adapter connection in Eset.

Its allowed, but not required for a user to add anything in Eset Firewall Zones. Active network connections if exist are auto imported from Windows to Eset with their profiles, as well as all network adapters. Trusted zone should be computed by default for Private network connections if exist, such as Home or Office network, but not for Public networks.

Edited May 6, 2019 by zamar27

[itman 1,659]

1 hour ago, zamar27 said:

Its allowed, but not required for a user to add anything in Eset Firewall Zones. Active network connections if exist are auto imported from Windows to Eset with their profiles, as well as all network adapters. Trusted zone should be computed by default for Private network connections if exist, such as Home or Office network, but not for Public networks.

Agreed. However in the OP's case, it appears no network adapter connection is being recognized by Eset.

@jimmerthy post a screen shot of what is displayed in Eset's Known networks section as shown in my above reply.

[zamar27 5]

I'm using Eset Firewall now  in Interactive mode. I  changed a network connection to Private in Windows, got the adapter in Trusted zone in Eset Setup-Network Protection-Connected Networks-Network Adapters, and still got the same error in Eset adding a Trusted Zone to any Firewall rule.

There're some terms variations here: in Windows the term Zone is used in Internet Options-Security, and aims at setting Security Levels at Internet browsing, initially by IE, but it applies to any browser now. Same term is not used in Windows Network Settings, being replaced with Private and Public networks with other set of rules. This might be a consequence of earlier IE integration by MS into Windows, where Internet Options become part of OS settings. 

Windows Firewall and Defender seems to have a default set of rules (security levels) for each Zone defined in Internet Options, but a user can change the level for any zone. I wonder where Eset Firewall zones fit into this? It defines Trusted Zone somewhat similar to Network Types in Windows, i.e. Trusted Zone seems to correspond to Private or Office network type, while inheriting Windows Network Adapter (connection) settings, which may include hidden Windows Firewall rules related to Security Level (zone) in Windows Internet Options.

It looks, an Eset staff Firewall expert should  give a more accurate reply how Eset Trusted Zone is calculated. Anyway, the trusted zone was not added to Advanced Firewall rules in my tests, showing "Error: nonexistent zone" despite Private network present, which seems to be Eset Firewall bug.

 

 

Edited May 6, 2019 by zamar27

[itman 1,659]

Ignoring the Trusted Zone issue for the time being, my primary concern is why the OP's DNS servers and Local address are empty in the Firewall zones GUI display. Those two areas need to be populated for the firewall to function properly.

[jimmerthy 0]

Thank you for all the replies. Here's a screenshot of the 'Known Networks' dialog.

[itman 1,659]

Is that "localdomain" network entry associated with a domain controller on your network?

[jimmerthy 0]

no, there's no domain controller, it's a home network.

I'm not sure where 'localdomain' has come from actually. Its DHCP server is set to 192.168.254.254 but my home router is 192.168.1.1. Anyway, ESET > Home > Connected Home Monitor reports that 'Wired network 1' is the network that's in use.

The machine is a VM and it's sometimes connected via VMware Workstation's NAT and sometimes via Bridged, I suspect the  192.168.254.254 network may be VMware's NAT virtual network router.

I had come to assume that Window's network classification (public vs. private) sort of corresponded to ESET's (not Trusted Zone vs. Trusted Zone). I've often wondered whether I'd be in a less confusing world if I let ESET manage whether a network is 'Public' or 'Home or office network' (prompting user on each new connection) rather than relying on 'Inherit from network adaptor'. I can't find the reference now, but I'm under the impression that Windows native UX now makes it difficult (or at least unintuitive) to change to/from private & public (if for example it was set up wrong the first time).

[jimmerthy 0]

I've just checked this over more carefully as I now have a bit of time.

'Wired network 1' has been set with ESET 'protection type' 'Home or office network'.

Windows' category for the network was set to 'public' (so in disagreement).

I just flipped the Windows network to 'private' by setting Profiles\{GUID}\Category to '1' for the appropriate adaptor in Regedit and rebooted. It came back up as private as expected. I then changed the ESET 'protection type' to 'Use Windows setting' to hand control back to Windows so to speak. I was maybe hoping that would get rid of the 'Error: nonexistent zone' but it didn't.

[jimmerthy 0]

So yes I agree that the weird bit seems to be the lack of anything populated in 'DNS Servers' and 'Local addresses' in Advanced Setup > Firewall zones.

On a machine affected by this problem, if I go to Setup > Network Protection > Connected networks > Network adapters, I can see that for the affected adaptor, Trusted Zone does have a sensible entry (192.168.1.0/24). Well, at least this matches what I see in the same dialog on a machine on the same network that's not affected by the problem.

[itman 1,659]

I am on Eset's Public profile. In sprite of this, I had no problems creating both inbound and outbound rules specifying the Trusted Zone.

Now I do have the Firewall filtering mode set to "Automatic." So one factor might be your "Interactive" mode setting. To verify, temporarily switch to Automatic mode and see if you can now create a firewall zone specifying Trusted Zone.

Another factor might be the VM element you running under. The Eset firewall might just not recognize Trusted Zone in that environment under the default global profile it uses. The Eset firewall by default applies all existing firewall rules to all recognized network adapters. I suspect the VM is using that  "localdomain" Eset network connection and something about this setup is "confusing" Eset when it comes to finding the Trusted Zone. 

[zamar27 5]

3 hours ago, itman said:

Ignoring the Trusted Zone issue for the time being, my primary concern is why the OP's DNS servers and Local address are empty in the Firewall zones GUI display. Those two areas need to be populated for the firewall to function properly.

If you believe they need to be populated because they are on your PC, they are not on mine, and Eset Firewall functions somehow, I can see it in Interactive mode. They might be inherited from Windows settings as well, and hidden for that reason.

I now switched off VPN, changed WiFi to Private, noticed changes in Eset Network Adapters (it now shows local WIFI as Trusted Zone), switched from Interactive to Automatic Mode: and still no smoking cigar, the same error persists when adding Trusted Zone: "nonexistent zone".

One might assume some portions of Eset code require relogin or reboot while others don't. I also agree that a VM may represent challenge to Eset when calculating Trusted Zone, unless defaults are populated by staff, since VM network connection types vary, and generally differ from physical PC connections. But  I just run Eset on a physical hardware, no VM, therefore its safe to assume this is a bug. 😊

The question then is, why your settings are populated, and mine aren't? What's so special about your network or may be other relevant settings? Can you try the same in Interactive mode? Does relogin or reboot play into it? For starters, my DNS server IPs come from provider through hardware chain and therefore not visible to Eset, while yours may be manually entered into adapter IPv4 Properties?

Edited May 6, 2019 by zamar27

[itman 1,659]

My best guess at this point is the issue is VM related. Since nothing is populated Firewall Zones settings, you can't refer to any of the categories listed directly in the firewall rules.

What I would test is that the ESET firewall is functioning properly in the VM. What I suspect might be going on is its just allowing all inbound and outbound traffic. 

 

 

[zamar27 5]

13 hours ago, itman said:

Since nothing is populated Firewall Zones settings, you can't refer to any of the categories listed directly in the firewall rules.

There are many fields in Eset Settings inherited from Windows and not visibly populated.

The OP runs Eset in a VM, but I don't, and still  have the same error. I don't know whom you address your replies, but this is a public forum, many folks often report same bugs. 😋 Eset doesn't pass all traffic freely, I can see it in Interactive mode, it popups windows at each request. I can create new rules, just not with Trusted Zone.

I noticed interesting practice though. Eset staff often fixes bugs based on forum reports, and at times pushes fixes through daily updates. Folks still  debate the bug, but it may gone already. I think Eset staff should notify about fixes in such threads.

Edited May 7, 2019 by zamar27

[itman 1,659]

12 hours ago, zamar27 said:

The OP runs Eset in a VM, but I don't, and still  have the same error.

As I posted previously, I do not receive the error. Switch to the Public profile and create a firewall rule specifying the Trusted Zone. If you don't receive an error on the Public profile, then we can establish the problem lies on the Private/Home Network profile.

[zamar27 5]

I tried all possible profiles already as reported above. The error persists. Did you manually enter DNS server IPs into the adapter IPv4 Properties in Windows? Or Windows obtains them from your gateway modem?

Edited May 7, 2019 by zamar27

[itman 1,659]

7 minutes ago, zamar27 said:

Did you manually enter DNS server IPs into the adapter IPv4 Properties in Windows? Or Windows obtains them from your gateway modem?

Eset Network Potection acquires DNS server addresses based on the Windows network adapter it discovers at installation time. See the below screen shot. Additional Local Connection IP address are populated based on network adapter settings. On my Eset installation both IPv4 and IPv6 DNS server addresses are correctly populated.

[zamar27 5]

Adapters use can change: today its Ethernet wired, later its WiFi, then VPN virtual adapter. Eset install may happen long ago, internet provider and their DNS IPs may change by then too. Can you refer to an article that says inherited from Windows DNS IPs must be visible in Firewall Zones? I sent a request to tech support using the form since Marcos never replied, but Eset server replies "store.esetme.com’s server IP address could not be found."

[Marcos 5,070]

Regarding no IP addresses of DNS servers and local addresses in the Zones setup, further investigation will be needed. Therefore it is necessary to open a support ticket with your local customer care. Does the error on the web page occur when you click Submit support request in gui and a web wizard for contacting customer care opens?

[zamar27 5]

No, the error occurs when submitting this Form. Also, the actual issue is its impossible to add Trusted Zone to firewall rules in some installations.

[itman 1,659]

44 minutes ago, zamar27 said:

Can you refer to an article that says inherited from Windows DNS IPs must be visible in Firewall Zones?

As far as I am aware of, Eset firewall Zone categories are nothing more than a "shorthand" method to refer to multiple IP addresses. The are only used in firewall rule creation for that specific case. The fact that IP addresses are not shown in the DNS address zone is irrelevant since that zone is never specifically reference in the Eset default firewall rules. The most important zone is the Local Addresses zone and for the Work or Home network profile, the Trusted Address zone, since these zones are referenced  in multiple Eset firewall default rules.

The above said, the fact that IP addresses are not being populated to their respective firewall Zone categories would be indicative that Eset is not properly interfacing with the device's active network adapter connection.

It appears to me that something is "busted" firewall-wise in your and the OP's Eset installation in regards to this "Error: nonexistent zone" message. For a test you can create a firewall rule specifying the DNS address zone and see if the same error message manifests.