CSA 5.2 (245) Network access control rule's priority

Unanswered Question
Feb 29th, 2008
User Badges:


I have a problem with the priority of network access control rules.

As default all network connections are denied by CSA on our machines. And network access rules with the action "priority allow" allows needed applications access network. So the CSA works as the firewall on our workstations and servers.

But some time ago I have noticed that network access "priority allow" rules doesn't work. All connections are refused with the default network access "deny" rules though there are "priority allow" rules for these particular applications. So now I turn all CSAgents into test mode, but this is not the way out.

Please, help to solve this problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Sun, 03/02/2008 - 22:25
User Badges:
  • Red, 2250 points or more

Is it all hosts and if not, has the system state changed on any of these hosts?


asafanasjeva Mon, 03/17/2008 - 07:15
User Badges:


I needed some time to look more carefully on this question. According to our policy there are deny network access control rules for acting as a server only (not for acting as a client). So I monitored network access rules for all hosts and have detected that such trouble happened for all hosts during connections as a server.

System state is set to "Apply this rule module regardless of any state conditions" and I haven't changed it.

tsteger1 Mon, 03/17/2008 - 13:17
User Badges:
  • Red, 2250 points or more

Hello Ann

Let's see if I have this straight:

You added some NAC allow rules to permit all hosts to accept connections as a server for certain applications and it isn't working as you expected it to. Is that right?

If so, did it ever work right or is this something new?


asafanasjeva Tue, 03/18/2008 - 01:35
User Badges:

Hello, Tom!

Yes, that's right.

Such things are new. I thought about there reason, wached logs. As I think the only reason it can be the hotfix, that I have installed not so much time ago. And since that troubles began. With the version of CSA MC everyhting worked correctly.


tsteger1 Tue, 03/18/2008 - 16:10
User Badges:
  • Red, 2250 points or more

Hi Ann, it may be that the exceptions you created were for old groups and policies and aren't associated with the new ones.

Applying a hotfix will usually create new groups, policies and rule modules if the old ones have been modified and it doesn't always associate exceptions with the new ones.

If that's the case you'll need to either move the exceptions to a rule module that applies to your current groups or create new exceptions.

I have all my exceptions in a separate policy just for this reason.




This Discussion