Firewall allow rule with server name (name syntax)

Askoik

I have rule named "IT-ylläpito" and there I have a list of IP-subnets and a FQDN-server name. All written exactly in such syntax as the guide text at bottom of windows instructs.

But still, I get these alerts from several clients. And the strangest thing is that, not all clients are alerting, but only some of them. How should I write address so that it would be valid? I think this problem didn't exist last year, but now I've seen this couple of months.

Vad

Hello Askoik,

It's Windows OS responsibility to resolve DNS names for Windows firewall rules. If it fails to resolve, the rule is applied only partially, and you get the alert in PM console.

This fact can also explain why some hosts having the same rules are sending alerts, and some are not - they don't have problems with resolving.

Best regards,

Vad

JamesC

Hi, we need to investigate further.

So, please:

1) Submit a support case - https://www.f-secure.com/en/business/support-and-downloads/support-request

2) Include Policy Manager screenshots and FSDiag

3) Include debug logs from the affected host with Client Security:

Follow the steps below:

1. Download the debug tool from download.f-secure.com/support/tools/CCF-logging-tool/fsloglevel.exe
2. Double click fsloglevel.exe
3. Select Full Logging
4. Click OK
5. Restart the computer
6. Reproduce the steps that caused the original problem, take note of exact time of the problem
7. Generate an FSDIAG diagnostic file by following the steps explained in this link: https://community.f-secure.com/common-home-en/kb/articles/5427-how-do-i-create-an-fsdiag-file
8. Run the fsloglevel.exe tool a second time after submitting the logs
9. Click on Normal Logging to turn off the debug mode (debug mode slows down the machine slightly)

ZS

Hello

I have the same problem, is there a solution already?

Askoik

A week ago I created ticket to F-secure and they are still diagnosing log files I sent to them.

JamesC

Hi ZX - have you submitted a ticket ?

Hi Askoik - please message me your ticket number so I can followup

Askoik

Is there a possibility to send private message in this forum? Or would you like to expose your f-secure.com email address here public? I am not willing to expose my ticket number in a public forum.

JamesC

Hi , yes you can send a private message. I just sent one to you.

Askoik

Ok, now I managed to answer that private message. Still can't find place where to start new private conversation, maybe it is possible only for you moderators. ;-)

Askoik

Ok, this might be the case with users booting their laptops outside company network. But I see this error also on desktops which are located at our office. Strange.

If laptop can't solve DNS during boot, will the ruleset fix itself after the user connects VPN and F-secure is able to do DNS-query? Or will ruleset remain in "failed" state?

With this information, I will now change all internal server names into IP-addresses, so I won't anymore get this DNS-related error into policy manager.

Vad

Hello Askoik,

We have several events, which will lead to re-applying the rules:

• changes in FS firewall settings, including change of active profile
• any FW rules change events (both Windows and FS)
• changes in FW registry

So, if you have FW profile auto-selection turned on, and the profile is changing when hosts are shifting inside <-> outside the company, then rules will be re-applied for sure. In other cases they may not.

Regards,

Vad

Askoik

Case solved, and Vads message ticket as "Accepted Answer". Thanks!

Now I have had couple weeks my firewall rules created with IP-addresses, not a single FW rule anymore with DNS-names. Policy manager alerts list has clearly calmed down, only couple alerts are coming from such clients which had been disconnected a long time and now connecting again. But when they get new IP-based ruleset, they doesn't anymore give same alerts.