02-29-2008 05:38 AM - edited 03-10-2019 04:01 AM
Hello!
I have a problem with the priority of network access control rules.
As default all network connections are denied by CSA on our machines. And network access rules with the action "priority allow" allows needed applications access network. So the CSA works as the firewall on our workstations and servers.
But some time ago I have noticed that network access "priority allow" rules doesn't work. All connections are refused with the default network access "deny" rules though there are "priority allow" rules for these particular applications. So now I turn all CSAgents into test mode, but this is not the way out.
Please, help to solve this problem.
03-02-2008 10:25 PM
Is it all hosts and if not, has the system state changed on any of these hosts?
Tom
03-17-2008 07:15 AM
Hello!
I needed some time to look more carefully on this question. According to our policy there are deny network access control rules for acting as a server only (not for acting as a client). So I monitored network access rules for all hosts and have detected that such trouble happened for all hosts during connections as a server.
System state is set to "Apply this rule module regardless of any state conditions" and I haven't changed it.
03-17-2008 01:17 PM
Hello Ann
Let's see if I have this straight:
You added some NAC allow rules to permit all hosts to accept connections as a server for certain applications and it isn't working as you expected it to. Is that right?
If so, did it ever work right or is this something new?
Tom
03-18-2008 01:35 AM
Hello, Tom!
Yes, that's right.
Such things are new. I thought about there reason, wached logs. As I think the only reason it can be the hotfix 5.2.0.245, that I have installed not so much time ago. And since that troubles began. With the version of CSA MC 5.2.0.238 everyhting worked correctly.
Ann
03-18-2008 04:10 PM
Hi Ann, it may be that the exceptions you created were for old groups and policies and aren't associated with the new ones.
Applying a hotfix will usually create new groups, policies and rule modules if the old ones have been modified and it doesn't always associate exceptions with the new ones.
If that's the case you'll need to either move the exceptions to a rule module that applies to your current groups or create new exceptions.
I have all my exceptions in a separate policy just for this reason.
HTH
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide