To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Dropped by filter: Shielded Main Rule, Shielded Main Rule.

Options
hyvokar2
hyvokar2 W/ Alumni Posts: 4 Security Scout
edited January 2023 in Elements Endpoint Protection

Hi,


enabled a firewall for a client computer from withsecure elements, and now I cannot ping that machine.

log says 22-06-27 14:36:54.633 [2f60.2154] I: Type: FWPM_NET_EVENT_TYPE_CLASSIFY_DROP. Dropped by filter: Shielded Main Rule, Shielded Main Rule. Dropped by layer: ALE-vastaanoton/-hyväksymisen v4-kerros. Direction: outbound. Local port: 8. IPv4 local address: 10.11.23.1. IPv4 remote address: 10.11.22.36. Protocol: ICMP(1). Application: System. User SID: S-1-5-18. 

The default rules are in place, which allow all the outgoing traffic. What is this Shielded Main Rule, and how to get around it?

Best Answer

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    Solved
    Options

    Hi @hyvokar2

    Thank you for sharing this additional information. It appears we need to analyze the logs in order to perform additional checks. Nevertheless, I see that you've already reported the problem in support ticket 046XXX42. My colleague who works on support will analyze the logs and offer assistance.

Answers

  • hyvokar2
    hyvokar2 W/ Alumni Posts: 4 Security Scout
    Options

    WSEEP Admin guide does not have a word about "Shielded Rules", or "Main Rules"

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 245 Moderator
    Options

    Hi @hyvokar2

    The "Shielded Rule/Mode" is more related to windows firewall components. However, the error FWPM_NET_EVENT_TYPE_CLASSIFY_DROP issued by Windows Firewall with Advanced Security is related to Stealth mode. The stealth mode silently drops outgoing ICMP unreachable and TCP reset message, to prevent port scanning. This functionality responds when there is no process listening on the port, which is targeted by the incoming request/traffic.

    For more information about this functionality, please refer to this Microsoft Technet article.

  • hyvokar2
    hyvokar2 W/ Alumni Posts: 4 Security Scout
    Options

    Hi Sethu, thank you for your reply.


    I'll take look into this.

    Just a note, the article you linked says


    " Important

    Network packets dropped by the stealth mode feature are not logged."


    In my case, these packets are logged

  • hyvokar2
    hyvokar2 W/ Alumni Posts: 4 Security Scout
    Options

    Not sure if this had something to do with stealth mode, but I disabled "Block all inbound connections" from test profile. I guess this will block even connection, that are specified below as allowed.


    Anyways,

    the ping thing was resolved, after removing 0.0.0.0/0 from inbound connection for icmp traffic. Not sure if this is expected behavior.

This discussion has been closed.