Logging of dropped packets/blocked connections in Interactive Firewall mode

[Marcos 5,074]

22 hours ago, SeriousHoax said:

Description: Logging of dropped packets/blocked connections in Interactive Firewall mode

Detail: When I deny access to something in Interactive firewall mode there's no way to later check what site that particular app tried to connect. It would be very useful if all the dropped packets can be log so that one can later check everything and do the research if required. This logging shouldn't be enabled by default but there should be an option to enable that when the user activate Interactive mode from advanced settings.

You can enable logging of blocked communications, however, this is not recommended as the firewall log may grow quickly.

[SeriousHoax 83]

6 hours ago, Marcos said:

You can enable logging of blocked communications, however, this is not recommended as the firewall log may grow quickly.

Can you please tell me the process of enabling that? I am looking for blocked communication logs only. As most of the things are allowed by my rules the blocked log will not be huge for me.

[itman 1,659]

3 hours ago, SeriousHoax said:

Can you please tell me the process of enabling that?

Appears to be the setting indicated in the below screen shot. Also, enabling this will most likely create log entries for all network activity; not just blocked connections:

[SeriousHoax 83]

3 hours ago, itman said:

Appears to be the setting indicated in the below screen shot. Also, enabling this will most likely create log entries for all network activity; not just blocked connections:

You're right. This is for all network activity. There's no way to log blocked communications in interactive firewall mode.

[Marcos 5,074]

I forgot, this was moved to diagnostic logging in the past:

[SeriousHoax 83]

3 minutes ago, Marcos said:

I forgot, this was moved to diagnostic logging in the past:

I'm sorry I'm still confused. If I select diagnostic then it will log blocked connections?

[itman 1,659]

4 minutes ago, Marcos said:

I forgot, this was moved to diagnostic logging in the past:

That option still exists. But enabling it will cause everything to be written to all log files.

[SeriousHoax 83]

4 minutes ago, itman said:

That option still exists. But enabling it will cause everything to be written to all log files.

I see. This isn't an ideal solution since I'm looking for blocked firewall log only.

[itman 1,659]

The only way I know of to log blocked network connections when the firewall is set to Interactive mode is to create an Ask rule to monitor any network inbound and outbound traffic for any protocol. Set the Event log level to Diagnostic - maybe. I am not sure that the Diagnostic level will write a log entry for manually responded to Ask level rules but I believe it does so for blocked activity. Otherwise, you will have to experiment with the other logging level options.

The restriction with the above is the created Ask rule must always be at the end of the existing rule set. Which means every time a new firewall rule is created, this Ask rule must also be manually moved to the end of the existing rule set.

Edited April 5, 2020 by itman

[itman 1,659]

A bit of Eset history here.

As I recollect, this above noted end of rule set Ask rule used to be generated automatically when the firewall was set to Interactive mode. Eset eliminated the rule when it added the Network Wizard feature; a feature I really don't care for.

[itman 1,659]

Reflecting on my previous above Eset history posting a bit, I always viewed this as an Eset screw up. The way things should work when firewall Interactive is enabled are as follows:

1. Network Wizard is internally disabled since it is non-applicable.

2. An Eset default Ask rule as described previously is auto generated at the end of the existing rule set. As with all Eset default firewall rules, the only thing modifiable would be the Event log setting.

3. Any firewall rules created thereafter in Interactive mode would always be created prior to the generated default Ask rule.

When Interactive mode is changed to another mode, the above actions would be reversed; Network Wizard enabled and default Ask rule deleted.

[SeriousHoax 83]

1 hour ago, itman said:

The only way I know of to log blocked network connections when the firewall is set to Interactive mode is to create an Ask rule to monitor any network inbound and outbound traffic for any protocol. Set the Event log level to Diagnostic - maybe. I am not sure that the Diagnostic level will write a log entry for manually responded to Ask level rules but I believe it does so for blocked activity. Otherwise, you will have to experiment with the other logging level options.

The restriction with the above is the created Ask rule must always be at the end of the existing rule set. Which means every time a new firewall rule is created, this Ask rule must also be manually moved to the end of the existing rule set.

I just tried this. It works when the log is set to Information/Warning. But it only logs ip addresses not domains 😕

Edited April 5, 2020 by SeriousHoax

[SeriousHoax 83]

10 minutes ago, itman said:

Reflecting on my previous above Eset history posting a bit, I always viewed this as an Eset screw up. The way things should work when firewall Interactive is enabled are as follows:

1. Network Wizard is internally disabled since it is non-applicable.

2. An Eset default Ask rule as described previously is auto generated at the end of the existing rule set. As with all Eset default firewall rules, the only thing modifiable would be the Event log setting.

3. Any firewall rules created thereafter in Interactive mode would always be created prior to the generated default Ask rule.

When Interactive mode is changed to another mode, the above actions would be reversed; Network Wizard enabled and default Ask rule deleted.

I didn't even notice this network wizard. What is its purpose?

[itman 1,659]

1 minute ago, SeriousHoax said:

But it only logs ip address not the domain

That's by design since the firewall only supports IP addresses. Ditto for most other firewalls.

[SeriousHoax 83]

2 minutes ago, itman said:

That's by design since the firewall only supports IP addresses. Ditto for most other firewalls.

Oh. But since Eset's interactive mode can show the domain it wouldn't hurt to log this info also.

[itman 1,659]

16 minutes ago, SeriousHoax said:

I didn't even notice this network wizard. What is its purpose?

That's an interesting question and the answer depends on why the feature was developed.

Basically it's a way for nob users to auto create a firewall rule for a connection Eset blocked. By simply clicking on the Unblock tab, a "permissive" firewall rule as the Eset mods phrase it is created. "The devil in the detail" is the rule created is just that - permissive. For example if a program network communication is blocked, the rule created will allow all network communication for the program.

The main problem with Network Wizard is you have no idea that Eset blocked any network connections unless you open the Eset GUI and then Network Settings.🙄

Edited April 5, 2020 by itman

[SeriousHoax 83]

7 minutes ago, itman said:

That's an interesting question and the answer depends on why the feature was developed.

Basically it's a way for nob users to auto create a firewall rule for a connection Eset blocked. By simply clicking on the Unblock tab, a "permissive" firewall rule as the Eset mods phrase it is created. "The devil in the detail" is the rule created is just that - permissive. For example if a program network communication is blocked, the rule created will allow all network communication for the program.

Oh. It never occurred to me so I haven't notice this yet.

[itman 1,659]

In regards to my above recommendations posting: https://forum.eset.com/topic/23153-logging-of-dropped-packetsblocked-connections-in-interactive-firewall-mode/?do=findComment&comment=112031 , it appears presently that a hidden "Ask" rule is run after all existing firewall rules have been parse in Interactive mode. 

As such, I would recommended that Eset by default log all activity resulting from a firewall alert while in Interactive mode. Eset rule creation is not the "most straightforward" process in that Advanced settings must be accessed and appropriate check boxes marked. Or simply the Allow action is selected, and a permissive rule created. Having a log entry showing all applicable original network activity as a reference point would be very beneficial in post event forensic analysis.