karsayor 8 Posted November 30, 2023 Share Posted November 30, 2023 I have an issue with the endpoint firewall that is allowing a connection that should not be allowed. My two Domain Controllers are able to browse computers on port 445 (SMB), all others computers and servers are not able to browse the computers. It must be related to one of the default rule, but I do not know which one since I'm not able to turn on logging of allowed connections, I do not have any idea of what's happening and which rule is allowing this trafic. How can I enable a full logging of the firewall to be able to see which rule is used to allow a connection ? Thanks ! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,077 Posted November 30, 2023 Administrators Share Posted November 30, 2023 You can temporarily enable logging or notifications also for the default rules, including the permissive ones. Link to comment Share on other sites More sharing options...
karsayor 8 Posted November 30, 2023 Author Share Posted November 30, 2023 But how do I do this, sorry I tried to check but unable to find out ! Link to comment Share on other sites More sharing options...
itman 1,662 Posted November 30, 2023 Share Posted November 30, 2023 1 hour ago, karsayor said: My two Domain Controllers are able to browse computers on port 445 (SMB), all others computers and servers are not able to browse the computers. It must be related to one of the default rule, but I do not know which one I don't have an Eset Server product installed but I assume the below client firewall rules are still applicable. Eset firewall has two default rules in regards Win shared file and printers; one for outbound activity and one for inbound activity. Below is the default outbound rule; This outbound rule is applicable to all Eset firewall profiles. However, the corresponding inbound default firewall rule only allows inbound network traffic for the Eset Private firewall profile. Link to comment Share on other sites More sharing options...
Solution karsayor 8 Posted December 1, 2023 Author Solution Share Posted December 1, 2023 Hello So I could enable logging of allowed traffic as well. But it only worked on the client, allowed logs were not uploaded to ESET Protect Appliance, I don't know why. The issue is that somehow, the built-in default rules were messed up and the rule "Block incoming NETBIOS requests" was no longer there, replaced by a duplicate of rule 31 ! Left is the built-in rules when creating a new Policy, right was the built-in rules in the policy that caused issues. So I backed up custom rules, disabled the "Rules" setting in the policy, saved, and reconfigured. Then it worked correctly. I don't know what messed up the rules, since you cannot modify them manually. Link to comment Share on other sites More sharing options...
Recommended Posts