My goal is to have the personal firewall in enforce mode and all other rule modules in test mode. Problem: If a host is in any group that's running in test mode, all rules being applied to the host are in test mode. It seems like if I place a rule module in test mode, I will get events logged even if allow rules are in place. What is the best way to enforce the personal firewall module while keeping the rest of the applied rule modules/policies in test mode? Thanks in advance for any help.
Well, if you just want the personal firewall module to be enforced, then place all rule modules in testmode except for the personal firewall module.
If I understand you correctly, you don't want logs of the events generated from the rule modules in testmode. If that is the case you can either create rules to ignore those events or change the settings in the rules (not recommended). If you meant something else, ignore.
Well, I have no clue as to why you would apply rules that you didn't care about, but I'll provide the best answer I can.
First, I would apply the personal firewall policy to the group your desktops are in. Then, select the policies/rule modules that you may want to see and place them in monitor mode.
Monitor mode will fire at every instance. I figure monitor mode is supposed to be done while trying to find how a rule will interact with your current setup. But, if you do commonly known attacks are characteristics your false positives should be significantly low.
Also, ensure that you do not have any policies attached to the auto enrolled group "All Windows" and so on. This will prevent rules from jumping into effect when you take it out of test mode.
Honestly, I think if all you want is the personal firewall, just do that. You can slowly apply policies and groups as time goes to build a more secure setup.
Thanks for the replies. I have done quite a bit of configuring but am not done. Of course, I don't think anyone is ever done configuring csa. I feel confident taking the personal firewall out of test mode but but would still like to keep the other rules/policies in test mode. I guess I'll have to remove all policies being applied to the default Windows group and take that group out of test mode. The hosts I want to enforce the personal firewall rule on will have to reside in a group where only the personal firewall policy is applied to it. To continue configuration/tuning, I'll have to have the other hosts in a group(s) in test mode. It seems like if I put rule modules in test mode, they log even if there are exception rules to allow the behavior.
I wish you could have some rules/policies enforced and some in test mode on the same hosts without logging events there are exception rules to allow.
Ok, well as you know, if a host is in even one group that is in test mode, the host itself is in test mode. You can either take it out, or keep it in.
Monitor mode is extremely useful. I still stand by the suggestion to maybe start again slowly adding the rules you've already created/crafted by placing them in monitor mode.
I have to comment on the log comment. I don't think you understand that rule setup. You have to actually uncheck the box that says "LOG" in order to stop receiving alerts. Your statement is true withstanding, that if the log option is selected, you'll get an alert for allow or deny. Now, if a rule is hitting a deny, and you set a exception to allow, obviously your exception isn't working. You'll have to mitigate that issue in order to resolve the other.
I wish you'd go into more depth concerning what the actually problem is though. I can only pull apart that you want something to do something but its alerting from something but I still want it to do the other thing too.
Again, I hope this assists you. And if you need further understanding or clarification please ask. That is the primary reason for this forum.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...