AlanF 0 Posted August 28, 2023 Posted August 28, 2023 Hi All, I'm trying to receive notifications to my desktop machine running Internet Security v16.2.13.0 and can't get it to work. I've confirmed the notifications are being successfully sent to my machine. The firewall isn't showing anything as blocked during the time they are sent. I've setup firewall rules: To allow bidirectional traffic for https://fcm.googleapis.com and fcm.googleapis.com. To open ports 5228, 5229, and 3230 for inbound notifications. But the notifications are still being blocked. Any ideas as to what the problems are? The desktop does receive other notifications such as from slack.
Administrators Marcos 5,451 Posted August 28, 2023 Administrators Posted August 28, 2023 Did you try to allow the communication via this option?
AlanF 0 Posted August 28, 2023 Author Posted August 28, 2023 Nothing is showing up there are being blocked.
Administrators Marcos 5,451 Posted August 28, 2023 Administrators Posted August 28, 2023 Does temporarily pausing the firewall, protection or temporarily disable Network traffic scanner actually make a difference?
AlanF 0 Posted August 28, 2023 Author Posted August 28, 2023 Trying that, am waiting for the next notification.
Administrators Marcos 5,451 Posted August 28, 2023 Administrators Posted August 28, 2023 1 hour ago, AlanF said: It does not. What about temporarily uninstalling ESET?
itman 1,801 Posted August 28, 2023 Posted August 28, 2023 2 hours ago, AlanF said: I've setup firewall rules: To allow bidirectional traffic for https://fcm.googleapis.com and fcm.googleapis.com. To open ports 5228, 5229, and 3230 for inbound notifications. Ensure logging level for that rule is set warning level. Afterwords, check Eset Network protection log for entries related to this rule. If no log entries exist, it means the firewall rule is never being executed. This would also explain why you are not receiving any notifications from the rule.
AlanF 0 Posted August 28, 2023 Author Posted August 28, 2023 They were not set to warning, will see what happens now...
AlanF 0 Posted August 29, 2023 Author Posted August 29, 2023 Nothing has changed. Does any of this direction from the notification service create a new idea? if you did not get it, something is still blocking on your end For receiving notifications If your organization has a firewall that restricts the traffic to or from the Internet, you need to configure it to allow connectivity with FCM in order for your client apps to receive messages. FCM (Google Android and Chrome Push Notifications) The ports to open are: 5228, 5229, and 5230. FCM typically only uses 5228, but it sometimes uses 5229 and 5230. FCM doesn't provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. From the "Firewall" note:https://firebase.google.com/docs/cloud-messaging/concept-options
itman 1,801 Posted August 29, 2023 Posted August 29, 2023 First, you also need to allow port 443; Quote TCP ports to open: 5228 5229 5230 443 Next is your Eset firewall is allowing inbound traffic to these local ports. However this wording; 23 minutes ago, AlanF said: so you should allow your firewall to accept outgoing connections leads me to believe the above ports should be specified as remote ports. You need to clarify this with Google. Finally, you state; 23 hours ago, AlanF said: To allow bidirectional traffic for https://fcm.googleapis.com and fcm.googleapis.com. Eset firewall requires IP addresses only; not domain names. You therefore have to code as remote IP addresses all those noted here; 30 minutes ago, AlanF said: to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.
Administrators Marcos 5,451 Posted August 29, 2023 Administrators Posted August 29, 2023 Please answer my previous question if temporarily uninstalling ESET makes a difference. You have already confirmed that pausing the firewall didn't help so any changes to the firewall configuration won't resolve the issue either.
itman 1,801 Posted August 29, 2023 Posted August 29, 2023 2 hours ago, Marcos said: You have already confirmed that pausing the firewall didn't help so any changes to the firewall configuration won't resolve the issue either. I should have posted this comment first. It appears this Google FCM notification network traffic is inbound only? Most current routers/gateways today employ a stateful firewall. This means that the router/gateway is going to block any inbound TCP network traffic unless it's a result of a prior outbound network request. Therefore, it is very possible this inbound Google FCM notification network traffic is never reaching the LAN side of the router/gateway where it would be then processed by the Eset firewall. If this is the case, a "pinhole" or router/gateway firewall rule must be created to allow this unstateful inbound network traffic.
Recommended Posts