CSA 5.0 LOG

guest · ‎01-08-2008

Hi

I have production server which as CSA5.0 installed, I get this error message flagged on CSA. It is managed via MC 5.0.

attempted to accept a connection as a server on TCP port 445 from 10.9.2.3. The operation was denied.

Is there way to set this rule in policies and attach to group so that https is allowed and not blocked to this server.

THANKS

Muhammad

tsteger1 · ‎01-08-2008

Hi Muhammad,

First, confirm you want to allow this server to share resources. 445 is Microsoft-DS (SMB shares), not HTTPS.

If so, either create a network address set and use it with a Network Access Control allow rule or add the IP address to an allow rule for TCP/445.

Tom

guest · ‎01-08-2008

Thanks Tom,

Basically it is sql database replication and updates to other server.

Could you pls guide me step by step to create and allow this rule if possible.

kind regards,

muhammad

tsteger1 · ‎01-08-2008

Hi Muhammad, use the Event Management Wizard on the alert and that should guide you through creating the rule.

It should create a NAC rule allowing 445 traffic to the app (listed in the alert) on the server and you can choose the addresses you want to allow.

Check the rule it creates to confirm it is not too broad in allowing 445 traffic as that is a popular attack vector.

Tom

guest · ‎01-09-2008

Thanks Tom, just quick one, how can i push this rule to all the hosts. Do i have to reset the hosts from MC or each time CSA polls and get the new config.

thanks in advance,

muhammad

tsteger1 · ‎01-10-2008

Just create the rule and make sure it is associated with the rule module/policy/group and the hosts will get it.