Firewall allow rule with server name (name syntax)
I have rule named "IT-ylläpito" and there I have a list of IP-subnets and a FQDN-server name. All written exactly in such syntax as the guide text at bottom of windows instructs.
But still, I get these alerts from several clients. And the strangest thing is that, not all clients are alerting, but only some of them. How should I write address so that it would be valid? I think this problem didn't exist last year, but now I've seen this couple of months.
It's Windows OS responsibility to resolve DNS names for Windows firewall rules. If it fails to resolve, the rule is applied only partially, and you get the alert in PM console.
This fact can also explain why some hosts having the same rules are sending alerts, and some are not - they don't have problems with resolving.
Hi, we need to investigate further.
1) Submit a support case - https://www.f-secure.com/en/business/support-and-downloads/support-request
2) Include Policy Manager screenshots and FSDiag
3) Include debug logs from the affected host with Client Security:
Follow the steps below:
- Download the debug tool from download.f-secure.com/support/tools/CCF-logging-tool/fsloglevel.exe
- Double click fsloglevel.exe
- Select Full Logging
- Click OK
- Restart the computer
- Reproduce the steps that caused the original problem, take note of exact time of the problem
- Generate an FSDIAG diagnostic file by following the steps explained in this link: https://community.f-secure.com/common-home-en/kb/articles/5427-how-do-i-create-an-fsdiag-file
- Run the fsloglevel.exe tool a second time after submitting the logs
- Click on Normal Logging to turn off the debug mode (debug mode slows down the machine slightly)
Ok, this might be the case with users booting their laptops outside company network. But I see this error also on desktops which are located at our office. Strange.
If laptop can't solve DNS during boot, will the ruleset fix itself after the user connects VPN and F-secure is able to do DNS-query? Or will ruleset remain in "failed" state?
With this information, I will now change all internal server names into IP-addresses, so I won't anymore get this DNS-related error into policy manager.
We have several events, which will lead to re-applying the rules:
- changes in FS firewall settings, including change of active profile
- any FW rules change events (both Windows and FS)
- changes in FW registry
So, if you have FW profile auto-selection turned on, and the profile is changing when hosts are shifting inside <-> outside the company, then rules will be re-applied for sure. In other cases they may not.
Case solved, and Vads message ticket as "Accepted Answer". Thanks!
Now I have had couple weeks my firewall rules created with IP-addresses, not a single FW rule anymore with DNS-names. Policy manager alerts list has clearly calmed down, only couple alerts are coming from such clients which had been disconnected a long time and now connecting again. But when they get new IP-based ruleset, they doesn't anymore give same alerts.1 1Like