Workstation Profile to Computer Protection Profiles (Handling Conflicts)

Highlighted
F-Secure

Workstation Profile to Computer Protection Profiles (Handling Conflicts)

You can find parts of this content in Japanese in the following Community KB article: https://community.f-secure.com/t5/ビジネスセキュリティ/PSB-Computer-Protection-Windows/ta-p/107966

 

This article gives an overview of the kind of 'Firewall' and 'Scheduled Scanning' conflicts that can occur during the profile migration and gives some tips about how this can be resolved.

To see more information about what a conflicting profile is, see section the section titled 'What is a profile with conflicts?' in the article Computer Protection Migration

 

Firewall Rule Conflicts

 

You have firewall rules where both Allow and Deny rules are defined for same protocolport and direction. Workstation profile firewall rules have priority order to decide which rule gets processed first. Since Computer Protection uses Windows Firewall behind the scenes, this causes apparent conflicts in firewall rules due to the order in which Windows Firewall rules are executed (Refer https://technet.microsoft.com/es-es/library/dd421709(v=ws.10).aspx).

 

Below you can see an example scenario of 2 custom rules added to the 'Office' firewall profile in Workstation profiles, that has resulted in a conflict in firewall profile.

 

In a Workstation client, 

  • Incoming calls from host with IP 10.0.0.196 is allowed as this rule has higher priority
  • Incoming calls from other hosts are blocked

1. Two firewall rules in 'Office' Profile of Workstation 12 which result in conflicts in Computer Protection

 1.png

After this rule is migrated to the Computer Protection Client,

  • Incoming calls from the host with IP 10.0.0.196 are blocked as deny rules in Windows Firewall have higher precedence.

2. Corresponding migrated firewall rules in 'Normal Workstation' profile of Computer Protection

 2.png

 

How will you know of such conflicts?

 

The profile migration we have built for you handles the identification of such conflicts and we mark these profiles as 'Needs Review'. By Clicking on the button "View all profiles with issues" in the profiles tab, you will be re-directed to a new page which lists such profiles that need review.

 

3. Profiles that have conflicts can be accessed from the button → 'View all profiles with issues'

 3.png

 

4. 'Conflicting profiles' listing view, where you can access all profiles which have conflicts and needs attention

 4.png

 

How can you fix them?

 

Each of the profiles with conflicts needs to be reviewed explicitly. After making changes to the corresponding section of the profiles and closing the warning dialog, you will be provided with an option to 'Accept and publish'. By clicking on this, you are resolving the conflict of the profiles

  • You can save the profile without accepting changes if you are not sure that the profile works as expected
  • You can still assign these profiles to some computers to verify that the behaviour is as expected before you mark the conflict as resolved.
  • You can delegate (if needed) the Company or Service Partner to resolve the conflicts in their own profiles.

 

5. Conflicted sections of a profile are highlighted as shown below

 

5.png

 

6. After making the required changes to the profile, the 'Accept and publish' button pops up.

 

In this particular case, to achieve the expected behaviour of the firewall profile, it is sufficient to remove the rule, 'Block incoming TCP from all other IPs' (Refer screenshot 2) as the fallback settings of this profile already block unknown inbound connections (Refer screenshot 7)

 

6.png

 

7. Fallback settings for the corresponding firewall profile

 

7.png

 

Other tips

 

  • Splitting a rule into two sub-rules with IP ranges
    • 0.0.0.0-10.0.0.195 (Block) + 10.0.0.197-255.255.255.255 (Block)
    • 10.0.0.196 (Allow)
  • Splitting a rule into two sub-rules with port ranges
    • 0-554 (Block) + 555-65535 (Block)
    • 555 (Allow)
  • Migration of Firewall rules with 0.0.0.0/0

    These rules were not converted properly. More information in: 

    https://community.f-secure.com/t5/Protection/Computer-Protection-Firewall/td-p/116463

Scheduled Scanning Task Conflicts

 

You have configured for scheduled scanning tasks more than 1 scanning task and/or task with fields which can't be transformed into Computer Protection format. The new format supports only one scanning task, so we will just migrate the 1st scanning task which has the less number of field inconsistencies

The Computer Protection client has a different scheduled scanning functionality than the Workstation client. The main cases are:

 

  • Case 1: You can't define more than one scheduled scanning task
  • Case 2: The number of available options for scheduled scanning is less than in the old one

This leads to a situation when scheduled scanning settings may not be migrated as is.

 

Conflicting Cases

 

Case 1:

 

There are 2 scheduled tasks in old profile to migrate:

  • Runs weekly on Monday at 9:00
  • Runs daily at 12:00

In the new profile, you have to choose between weekly and daily, you can't have them both at once. Also, it is not possible to define more than one execution time, so you can't combine 9:00 and 12:00. 
It means that we can take just one task to migrate.

 

Case 2:

 

We have a task with the following options:

  • Runs once at 9:00 after system is idle for 30 minutes

In the Computer Protection profile, we don't have the option to run once, available choices are: daily, weekly, monthly. Also, we don't have combined time and idle options, we have to choose one or another (just as with weekly and daily in the previous example). So, practically this task can't be mapped without changing its peridiocity and time/idle options or, if having multiple tasks in the old profile, skipping it at all in favour of another task with fewer conflicts.

8. Example scheduled scanning tasks in a Workstation profile which leads to conflicts during migration

 

8.png

 

How to Solve?

 

If one of the profiles you migrated contains a conflict in scheduled scanning tasks, then the section in the profile will be highlighted similar as above (Refer Screenshot 5) and once you make the required changes and click on the 'Accept and Publish' button, the conflict is considered as resolved