cancel
Showing results for 
Search instead for 
Did you mean: 

Mixed Clients V13/V14 - Firewall - How to / best practice ?

Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

hi,

 

as far what i have seen ... you still can have different settings in the firewall profile depending on the policy domain in the policy manager.

 

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Nope.

There are two views. The one is for V14 with profiles that reside on Root level, the other of V13 and earlier that reside on subdomain level.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?


@M_M  schrieb:

Our AD domain has main office and 10 branche offices. Main office and every branch office have own set of IP subnets. In PM 13.00 we set firewall profile with base set of firewall rules and at subdomain level add firewall rules specifc for the IP set of every branch office (File and printer sharing, RDP, Ping, etc.). What can we do in PM 14.00?

picture


As I mentioned this is a pretty useless setup.
If you need printer and filesharing (e.g. sharing a local USB-printer from your PC), this can be limited to <mynetwork> and would automatically be limited to the subnet the Host is in.

IMHO your rulesets are way to complex with only little (if any) security benefit. In a common Windows Domain environment you would not want that anyone could access any host (not even in the same network).


Return to the standard Office profile and find out what is not working.

Most likely Remote Management and PING to the host is the most needed, but that should NOT be allowed to "any" or "myNetwork" but to precisely those systems that have the helpdesk function.


In the end you should be able to have the same ruleset for all standard hosts which translates into one new V14 profile and maybe one profile for helpdesk systems, which should NOT allow remote Access from any other systems.

 
Blocking unwatned traffic on the WAN is the task of the firewalls and routers.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Hello Matthias,

 

you are wrong - I tried it yesterday in my setup! I have different settings on the root level and on the lower policy domain - and I am on the tab for V14 and not V13! You can create some standard rules, that are valid for all lower sub policy domains and then add addidtional rules for the lower policy domains - at least it works in my settings!

 

BTW - your mentioned mynetwork is in my config pretty useless, because we use different ip ranges for clients, servers, lan and wifi - that is a pretty normal setting for larger networks.

 

That mynetwork thing works within using a single subnet for all clients and servers but not on larger networks

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?


you are wrong - I tried it yesterday in my setup! I have different settings on the root level and on the lower policy domain - and I am on the tab for V14 and not V13! You can create some standard rules, that are valid for all lower sub policy domains and then add addidtional rules for the lower policy domains - at least it works in my settings! 

you can not change any rule unless you create a clone. And that clone is available in all other subdomains in the same momet. The clone gets activated for that subdomain when you create it, but it is linked to root, independant from anything defined before.


And no, we have exactly that setup with "myNetwork" in many places. As Outbound traffic is always allowed you can reach all systems that allow inbound traffic (like servers).

 

But this discussion is way beyond what we can do via community. This is a task for a consultant.

 

Matthias

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

M_M
Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

Support staff hosts resides in different branch offices and different IP subnets.

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

There is a tricky way to create a subdomain related profile:

1) create  admin accounts for every subdomain that you want to have their own profile and limit access to that subdomain.
2) logon as a subdomain admin and create a clone.


This clone is now bound to that subdomain only.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

M_M
Regular Member

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

But is there an option to add only a rule to a subdomain?

F-Secure

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

You have to create default profile for the root domain, specify common rules (shared between all branch offices). Then for each branch office clone the default profile and add office-specific rules. But notice that further root profile changes will not update clones.

After that assign just created clones to related domains.

All these configurations are made in CS14 firewall tab.

What comes to migration from CS13 to CS14, Windows firewall can coexist with F-Secure firewall so there are no risks to enable it for CS13 hosts (unless there are conflicting rules). So we recommend:

  • Configure CS14 profiles in the policy domain tree
  • Enable (or Undefine) Windows Firewall in GPO
  • Start upgrading clients to CS14

 

Regards,

Alexander

Superuser

Re: Mixed Clients V13/V14 - Firewall - How to / best practice ?

To create a subdomain only visible/usable rule you have to login as a sub-domain administrator.
Apart from that there is no way to limit a rule to a subdomain as Alexander confirmed my previos post.

If you are a root admin all clones that you create (on which ever level) are visable and usable in all other subdomain.

Again highlithing Alexander's note: "But notice that further root profile changes will not update clones."

So after the cloning they are independant.

 

@A-Grinkevitchplease correct your post. GPO should set the Windows Firewall to UNDEFINED, otherwise V13 would switch it on too which is unwanted.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de