Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSA Test Mode ?

My goal is to have the personal firewall in enforce mode and all other rule modules in test mode. Problem: If a host is in any group that's running in test mode, all rules being applied to the host are in test mode. It seems like if I place a rule module in test mode, I will get events logged even if allow rules are in place. What is the best way to enforce the personal firewall module while keeping the rest of the applied rule modules/policies in test mode? Thanks in advance for any help.

Community Member

Re: CSA Test Mode ?

Well, if you just want the personal firewall module to be enforced, then place all rule modules in testmode except for the personal firewall module.

If I understand you correctly, you don't want logs of the events generated from the rule modules in testmode. If that is the case you can either create rules to ignore those events or change the settings in the rules (not recommended). If you meant something else, ignore.

Community Member

Re: CSA Test Mode ?

Well, I have no clue as to why you would apply rules that you didn't care about, but I'll provide the best answer I can.

First, I would apply the personal firewall policy to the group your desktops are in. Then, select the policies/rule modules that you may want to see and place them in monitor mode.

Monitor mode will fire at every instance. I figure monitor mode is supposed to be done while trying to find how a rule will interact with your current setup. But, if you do commonly known attacks are characteristics your false positives should be significantly low.

Also, ensure that you do not have any policies attached to the auto enrolled group "All Windows" and so on. This will prevent rules from jumping into effect when you take it out of test mode.

Honestly, I think if all you want is the personal firewall, just do that. You can slowly apply policies and groups as time goes to build a more secure setup.

Hope this helps,


Community Member

Re: CSA Test Mode ?

Thanks for the replies. I have done quite a bit of configuring but am not done. Of course, I don't think anyone is ever done configuring csa. I feel confident taking the personal firewall out of test mode but but would still like to keep the other rules/policies in test mode. I guess I'll have to remove all policies being applied to the default Windows group and take that group out of test mode. The hosts I want to enforce the personal firewall rule on will have to reside in a group where only the personal firewall policy is applied to it. To continue configuration/tuning, I'll have to have the other hosts in a group(s) in test mode. It seems like if I put rule modules in test mode, they log even if there are exception rules to allow the behavior.

I wish you could have some rules/policies enforced and some in test mode on the same hosts without logging events there are exception rules to allow.

Community Member

Re: CSA Test Mode ?

Ok, well as you know, if a host is in even one group that is in test mode, the host itself is in test mode. You can either take it out, or keep it in.

Monitor mode is extremely useful. I still stand by the suggestion to maybe start again slowly adding the rules you've already created/crafted by placing them in monitor mode.

I have to comment on the log comment. I don't think you understand that rule setup. You have to actually uncheck the box that says "LOG" in order to stop receiving alerts. Your statement is true withstanding, that if the log option is selected, you'll get an alert for allow or deny. Now, if a rule is hitting a deny, and you set a exception to allow, obviously your exception isn't working. You'll have to mitigate that issue in order to resolve the other.

I wish you'd go into more depth concerning what the actually problem is though. I can only pull apart that you want something to do something but its alerting from something but I still want it to do the other thing too.

Again, I hope this assists you. And if you need further understanding or clarification please ask. That is the primary reason for this forum.


Re: CSA Test Mode ?

Hi Mike,

Were you one of the people I talked to on the phone when you guys were thinking about getting CSA? Sorry, it was a while ago and I talked to several people in a conference call.

Tom Steger, Pierce County WA

CreatePlease to create content