ichkriegediekriese 0 Posted September 15, 2016 Share Posted September 15, 2016 Hi I do have two issues with the ESET firewall. Because it is possible that on issues is the cause for the other issue I decided to post only one thread instead of two separate threads. OK here we go, this is the scenario: I have a number of client PCs on our networks which need open ports. So I created a FW rule to allow certain ports to be open. In the "main view" of Personal Firewall the "rule" section is set to "apply" (other option would be force - whats the difference in behavior here? However the rule just doesn't work and incoming traffic is blocked! (Management via ESET remote server.) Firewall settings: Automatic mode / Screenshot of my rule is attached In my desperation I then set the FW of those clients to "training/learning" mode. When I logged into the remote clients via RDP I saw like 50 pop-ups that there was an error with the rule creation. I checked the permission of the "EpfwUser.dat" and the permission are OK - additionally the user on those clients I was working with was the admin account. Can the error with rule creation in "learning mode" also be the reason why my rules via ERA admin are not working either? Any suggestions what to try next? Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted September 16, 2016 ESET Staff Share Posted September 16, 2016 Hello, this behavior happens due to the way how firewall / ERA configuration is currently handled. When you manage FW via ERA, it means that the configuration on the Endpoint is read-only (regardless when you set "apply" or "force" flags. Difference between the "force" and "allow" flags is, that when a setting is set with "force" flag, it prevents it from being overwritten with a setting from another policy, which is lover in the hierarchy (you can have the same setting set to "ON" on "root" (all) level, and you can have set it to "OFF" on the specific group / client level. If both policies have the same setting with "apply", the one lover (client/group) will overwrite the root policy. However, if the "root" was set to "force", its value will be kept, regardless the lover policies). Issue is, that when you define one "master" FW policy, and some "more specific" policies, it handles them as "one setting" meaning that it overwrites the master list, with the specific exclusion. This behavior will be changed in the upcoming versions of ERA / Endpoint, where it will be possible to merge lists in policies. If you put the FW into "learning mode", and you still keep the "rules set" with either "apply/force" flag, it won´t work, as the Endpoint client will not be able to save generated rules into configuration, as configuration is "read only" due to list being enforced from ERA. So the it will work only in the case, that you set remove the policy flag from the list. You can then "request the Endpoint configuration" via task, and convert it into the policy, for the requested clients. That is a current workaround that popped to my mind. However, as said above, it will be changed in the upcoming release of ERA 6.5 and Endpoint 6.5 which are scheduled for December (but it might happen that they will be released in January). Link to comment Share on other sites More sharing options...
ichkriegediekriese 0 Posted September 16, 2016 Author Share Posted September 16, 2016 (edited) Hi MichalJ Thank you for your answer Hello, this behavior happens due to the way how firewall / ERA configuration is currently handled. When you manage FW via ERA, it means that the configuration on the Endpoint is read-only OK, I get that as this explains the error messages on my clients after I set learning mode with the policy still in the list. when a setting is set with "force" flag, it prevents it from being overwritten with a setting from another policy, which is lover in the hierarchy (you can have the same setting set to "ON" on "root" (all) level, and you can have set it to "OFF" on the specific group / client level. If both policies have the same setting with "apply", the one lover (client/group) will overwrite the root policy. However, if the "root" was set to "force", its value will be kept, regardless the lover policies). Issue is, that when you define one "master" FW policy, and some "more specific" policies, it handles them as "one setting" meaning that it overwrites the master list, with the specific exclusion. This behavior will be changed in the upcoming versions of ERA / Endpoint, where it will be possible to merge lists in policies. . Mhh I only have one single policy for those clients with all the settings I need - so no root or any other policy that can interfere. So this does not explain why my FW rule is not enforced (see screenshot - currently FW is set to off so that people can work :-) ). I even created a very simple rule and only listed the ports and IP range and left any thing else empty - this should from my previous working with FWs open all the listed ports on all clients in/for this IP range - didn't work..... If you put the FW into "learning mode", and you still keep the "rules set" with either "apply/force" flag, it won´t work, as the Endpoint client will not be able to save generated rules into configuration, as configuration is "read only" due to list being enforced from ERA. So the it will work only in the case, that you set remove the policy flag from the list. You can then "request the Endpoint configuration" via task, and convert it into the policy, for the requested clients. That is a current workaround that popped to my mind. However, as said above, it will be changed in the upcoming release of ERA 6.5 and Endpoint 6.5 which are scheduled for December (but it might happen that they will be released in January). So to use "learning mode" I have to remove/delete my defined rule (so that the list is empty) - correct? Or does disabling the "rule" via trash bin icon suffice (rule seems still to be present then). Problem with the unsolved issue above is that when I set learning mode now and then convert it all to rules everything will be working until I have to change anything - I would have to delete all rules and do learning mode all over again because currently my manual just wasn't enforced, so new created rules alter on will also not work... Edited September 16, 2016 by ichkriegediekriese Link to comment Share on other sites More sharing options...
ichkriegediekriese 0 Posted September 16, 2016 Author Share Posted September 16, 2016 Hi I just duplicated my rules and configured one in learning mode and the other one with FW on and my manually set rule with the only difference that the rules are now set to "force" instead of apply". I did then apply the latter rule to one of the clients, the FW has changed to "on" (was off before) and I haven't gotten a call yet..maybe it is working this way - however during testing yesterday at night I had the feeling that FW rules/policies only were correctly applied after fresh boot Link to comment Share on other sites More sharing options...
ichkriegediekriese 0 Posted September 16, 2016 Author Share Posted September 16, 2016 Hello, this behavior happens due to the way how firewall / ERA configuration is currently handled. When you manage FW via ERA, it means that the configuration on the Endpoint is read-only (regardless when you set "apply" or "force" flags. Difference between the "force" and "allow" flags is, that when a setting is set with "force" flag, it prevents it from being overwritten with a setting from another policy, which is lover in the hierarchy (you can have the same setting set to "ON" on "root" (all) level, and you can have set it to "OFF" on the specific group / client level. If both policies have the same setting with "apply", the one lover (client/group) will overwrite the root policy. However, if the "root" was set to "force", its value will be kept, regardless the lover policies). Issue is, that when you define one "master" FW policy, and some "more specific" policies, it handles them as "one setting" meaning that it overwrites the master list, with the specific exclusion. This behavior will be changed in the upcoming versions of ERA / Endpoint, where it will be possible to merge lists in policies. If you put the FW into "learning mode", and you still keep the "rules set" with either "apply/force" flag, it won´t work, as the Endpoint client will not be able to save generated rules into configuration, as configuration is "read only" due to list being enforced from ERA. So the it will work only in the case, that you set remove the policy flag from the list. You can then "request the Endpoint configuration" via task, and convert it into the policy, for the requested clients. That is a current workaround that popped to my mind. However, as said above, it will be changed in the upcoming release of ERA 6.5 and Endpoint 6.5 which are scheduled for December (but it might happen that they will be released in January). Hi After setting my rule to "force" it is now working properly. However it is strange that it doesn't work via "apply" as this is the only policy for that client and group besides the ERA policy (but there the FW isn't defined ) - possible bug? For another group I ran the "learning mode" successfully. I searched/read the KB and am still a little confused how the learning mode works in regards to policy in/for groups - does it collect data for each client and only uses the generated rules on that specific client only or is the collected data merged to the policy rule which is then distributed to all clients with that policy while set to "automatic mode"? And where can I see the generated rules from the learning mode to check? thx :-) Link to comment Share on other sites More sharing options...
Recommended Posts