cancel
Showing results for 
Search instead for 
Did you mean: 

Mixed Clients V13/V14 - Firewall - How to / best practice ?

Regular Member

Mixed Clients V13/V14 - Firewall - How to / best practice ?

Hi,

 

what to do in an mixed environnement with clients which are running 13.11. I have Office file and printer sharing as active profile and we have the Windows Firewall disabled by policy for the domain.

 

FSCS14 run the firewall only when the Windows firewall is up and active. 

FSCS13 run their own firewall and Windows firewall is disabled by GPO - if I enable it again i assume - both firewalls will be active and there might be conflicts, because the Windows firewall is in unconfigured state with the standard windows settings ...

 

What are the best practices for that stituation / for migration

 

Best regards

Robert

24 REPLIES
Moderator

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Hello @Rob-K

 

Its a good question but as we have no other options or feature available in the Policy Manager 14. So, running both CS 13.x and CS 14.x on same environment are not a good idea, because when a GPO is applied to the domain level, it affects all the users and computers belonging to that particular domain.  That being said, GPOs don't flow from parent to sub-domain.

 

The best pratice is upgrading the latest version of Client Security 14  to all the users machine before swith to Group Policy Object (GPO) to manage the firewall settings through Policy Manager.  Moreover, the F-Secure's firewall profiles provide an additional security layer on top of the Windows Firewall user rules and other domain rules. The F-Secure firewall profiles or rules are not applied if Windows Firewall is off. Therefore, we recommend that you always keep the firewall on.

 

Ofcourse, there is alternate way to manage the older version. For that, you need to create a new domain for those using older version Client Secuirty 13.x.

Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

uhmmm .. not good - we have over 1200 clients with 13.11 running. Many notebooks and also desktop pcs ...

As far as I understand your post it will result in a security gap until Windows firewall is active and V14 is operational.

 

when I start upgrading the clients to v14 the GPO with windows firewall is off is still in place ... so all clients which get v14 will have no firewall active. Worst case .. a field guy connects via vpn to the network gets the new F-Secure Clientsecurity and disconnects again. After a reboot his PC is no longer protected. I can not control when he access the network again (we have subsidiarys in China, US, Canada and all over Europe).

 

bad bad bad ...

 

an other question ... my rules and services that I have created for 11.xx, 12.xx and 13.xx ... will they be automatically adapted to V14 or do I need to recreate them again?

 

You say that the FSCS Firewall Profile will bring a additional security advantage - In fact I am not so sure - what advantage does it bring to me - I can also use GPO to configure the advanced firewall settings ...

 

Moderator

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Hello @Rob-K,

 

Currently, the recommended path is to set the Windows Firewall as Not Configured in by GPO, so that there are no conflicts caused when upgrading to latest version of Client Security 14.  But as soon as change the settings in GPO, the firewall automatically turned on after installing Client Security 14.00, unless explicitly disabled in the policies.

 

About mixed environment of older and new version of CS, sorry for my ignorance , our Policy Manager ver14 provides management for both new and old versions of the firewall settings. May I ask you to check the page 80 and 81 from admin guide.

 

The additional security layer on top of the Windows Firewall user rules and other domain rules meant are:

 

  • Network services list is now treated as a global dictionary, which is the same for all Policy Manager administrators.
  • Network services list is now treated as a global dictionary, which is the same for all Policy Manager administrators. Internet Shield's Application control feature is no longer supported in Client Security 14.00 and is superseded by a new version of Application control. To better reflect the nature of the old Application control, it is renamed to Network access control.

 

M_M
Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

One part of the question has not been answered:

"an other question ... my rules and services that I have created for 11.xx, 12.xx and 13.xx ... will they be automatically adapted to V14 or do I need to recreate them again?"

Aspirant

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

I had to re-create mine, but maybe there is a way to import/copy?  Someone from F-Secure would need to explain that.  I had to create new services and new rules, but I just opened a Policy Manager Windows next to my VM and then copied the setting over with them side by side.

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Just don't try to simply copy  what you had. Use the chance to revamp the firewall settings.
The whole thing is so new that a clear path is not that easy atm.

The biggest difficulty is to understand two things:
1) there are no longer rulesets of the same name that "belong" to a subdomain. Now all rulesets "only exist once on root level. So if your rulesets differed in a V13-subdomain you need to create a clone for V14. BUT as a clone is an independant ruleset not inheriting anything keep their number small, otherwise you wil have a lot of changes to copy when some of the common rules change.

2) In windows firewall rules have no order. All rules that match will fire!
Example: 
deny 10.10.10.15/32
allow 10.10.10.0/24  does not work as access will be granted by seond rule.
For that reason the new "office LAN" ruleset no longer has deny rules.
Note the "Unknown outbound connections" is [block]!

 

Clean up and rethink your rulesets - keep them small and simple.

Nevertheless it would be interesing to see WHAT services you created beside those that already exist.

M.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

M_M
Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

After Windows Fierewall will be enabled all Windows Firewall native rules will begin work. Is it possible in some way to ignore the native Windows Firewall rules. What means option "Ignore all firewall rules that are not listed in this profile" in F-Secure Firewall Settings? How set Firewall rules on different policy subdomains, then we use same services, but different remote hosts?

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

1) "Ignore all firewall rules that are not listed in this profile" is exactly what you want. Windows FW rules are ignored (could be worded more clearly).
2) That is exactly what I meant: "keep it simple, concentrate on the inbound traffic to the hosts".
Why do you want to limit the outbound traffic to a specific target? You should rather block the unwated traffic on the target system (server).
If you still want to do that work you need to clone the FW profile and assign different profiles to different subdomains. But it will not add any security and leave the server open for a rogue system.
Rethink your concept

M.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

M_M
Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Our AD domain has main office and 10 branche offices. Main office and every branch office have own set of IP subnets. In PM 13.00 we set firewall profile with base set of firewall rules and at subdomain level add firewall rules specifc for the IP set of every branch office (File and printer sharing, RDP, Ping, etc.). What can we do in PM 14.00?

picture