Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
5
Replies

CSA 5.2 (245) Network access control rule's priority

asafanasjeva
Level 1
Level 1

‎02-29-2008 05:38 AM - edited ‎03-10-2019 04:01 AM

Hello!

I have a problem with the priority of network access control rules.

As default all network connections are denied by CSA on our machines. And network access rules with the action "priority allow" allows needed applications access network. So the CSA works as the firewall on our workstations and servers.

But some time ago I have noticed that network access "priority allow" rules doesn't work. All connections are refused with the default network access "deny" rules though there are "priority allow" rules for these particular applications. So now I turn all CSAgents into test mode, but this is not the way out.

Please, help to solve this problem.

Labels:
0 Helpful
5 Replies 5

tsteger1
Level 8
Level 8

‎03-02-2008 10:25 PM

Is it all hosts and if not, has the system state changed on any of these hosts?

Tom

0 Helpful

asafanasjeva
Level 1
Level 1
In response to tsteger1

‎03-17-2008 07:15 AM

Hello!

I needed some time to look more carefully on this question. According to our policy there are deny network access control rules for acting as a server only (not for acting as a client). So I monitored network access rules for all hosts and have detected that such trouble happened for all hosts during connections as a server.

System state is set to "Apply this rule module regardless of any state conditions" and I haven't changed it.

0 Helpful

tsteger1
Level 8
Level 8
In response to asafanasjeva

‎03-17-2008 01:17 PM

Hello Ann

Let's see if I have this straight:

You added some NAC allow rules to permit all hosts to accept connections as a server for certain applications and it isn't working as you expected it to. Is that right?

If so, did it ever work right or is this something new?

Tom

0 Helpful

asafanasjeva
Level 1
Level 1
In response to tsteger1

‎03-18-2008 01:35 AM

Hello, Tom!

Yes, that's right.

Such things are new. I thought about there reason, wached logs. As I think the only reason it can be the hotfix 5.2.0.245, that I have installed not so much time ago. And since that troubles began. With the version of CSA MC 5.2.0.238 everyhting worked correctly.

Ann

0 Helpful

tsteger1
Level 8
Level 8
In response to asafanasjeva

‎03-18-2008 04:10 PM

Hi Ann, it may be that the exceptions you created were for old groups and policies and aren't associated with the new ones.

Applying a hotfix will usually create new groups, policies and rule modules if the old ones have been modified and it doesn't always associate exceptions with the new ones.

If that's the case you'll need to either move the exceptions to a rule module that applies to your current groups or create new exceptions.

I have all my exceptions in a separate policy just for this reason.

HTH

Tom

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card