Re: Order of Rules in CSAMC

reinke · ‎01-04-2005

Does anybody have an detailled understanding concerning the order of rules in CSAMC?

E.g. the group CiscoWorks VMS Systems is built up with 5 policy sets (CSA V4.0.3.727). Each of this sets contains different rules.

Following Systems > Hosts > hostname for a host which is a member of CiscoWorks VMS Systems group I get a combined list of rules.

Is what I see exactly what I get. Means: Is this the order of the rules (from top to buttom) in which these rules are evaluated?

And if it is, which rules are used to generate this order?

I need to know this, because I have a problem: I cannot start FTP from the PC protected by CSA, because incoming data channel is prevented by CSA. Therefore, I wrote an exception rule (using wizard) and I modified this rule to allow FTP.exe to accept any incoming TCP connection from any host. I have generated the rules and I have started a poll via Client GUI. In CSAMC the rule is automatically placed in front of rule 335, but it doesn´t work: FTP data is still denied by rule 335.

Does anybody have some helpful hints?

Thanks

Edgar

tsteger1 · ‎01-04-2005

The order in which rules are applied are based on what the rule does (deny, allow, etc..).

This is right out of the help file:

"Add process to application class

Priority 1

High Priority Deny

Priority 2

Allow

Priority 3

Query User (Default Allow)

Priority 4

Query User (Default Deny)

Priority 5

Deny

Priority 6

The priority listings beside each bullet item indicate the manner in which CSA MC processes rules. All priority 1 rules are checked first and priority 6 rules (deny) are checked last and that is only if no other higher priority rules have already been triggered by a system action."

This is also how it looks when multiple policies are assigned to a group. They are combined into a 'super' policy.

If you are having trouble with a rule, try using the wizard to generate the exception.

reinke · ‎01-04-2005

Thanks, that is exactly what I hoped to get. But my rule - which is greated with the exeption wizard - doesn´t work. If have to modify the generated rule, because I want to allow any IP address and any ftp client port used for data channel.

I get the following results:

If I define the rule works.

If I define the rule do not work.

Work means the client accespts the incoming data channel (port 20 to something equal/greater than 1024).

That is strange, because TCP/1024-65535 is not a wrong syntax.

Edgar

tsteger1 · ‎01-04-2005

That's because the host is acting as an FTP server and both initial ports are below 1024. Use network services to define your rule instead of network addresses and it should have all the entries needed..

reinke · ‎01-04-2005

Sorry, I do not understand your advice. What do you mean with "Use network services to define your rule"?

PC with CSA starts FTP. That is port X to 21. Server opens a connection back to the PC. That is port 20 to Y. Therefore, the network access rule should work, because Y is between 1024 and 65535.

Thanks

Edgar

tsteger1 · ‎01-04-2005

Look under Configuration>Variables>Network Services>FTP. This is what the FTP Network Service should show for FTP communication ports:

Ports used for initial connection:

TCP/21

TCP/990

Ports used for subsequent connections

initiated by the client:

TCP/1024-65535

TCP/989

Ports used for subsequent connections

initiated by the server:

TCP/1024-65535

TCP/ephemeral

TCP/989

If you change the rule to allow the host to act as a server using $FTP in the network services section instead of trying to manually enter the correct ports you will probably have more success.

Give it a try...

reinke · ‎01-05-2005

Sorry, the $FTP doesn´t work as well. The only configuration which works is

This sounds like a serious problem?

Thanks

Edgar

tsteger1 · ‎01-05-2005

No, it sounds like you configured your FTP server to connect back on a different port. Add port 20 to your subsequent server connections and you should be fine. Your event log should be telling you exactly what you need to do.

reinke · ‎01-05-2005

I have fixed the problem: @FTP didn´t work, because I selected server instead of client. That´s because I edited the Exception Wizard rule. The wizard has configured a rule, which doesn´t work because it uses the detected client port for data and this port changes from session to session. Because port 20 to port e. g. 1098 is an incoming connection, the wizard used the server option in the network access rule.

Choosing the client option and an network service @FTP works fine.

Thanks

Edgar