01-04-2005 09:06 AM - edited 03-09-2019 09:54 AM
Does anybody have an detailled understanding concerning the order of rules in CSAMC?
E.g. the group CiscoWorks VMS Systems is built up with 5 policy sets (CSA V4.0.3.727). Each of this sets contains different rules.
Following Systems > Hosts > hostname for a host which is a member of CiscoWorks VMS Systems group I get a combined list of rules.
Is what I see exactly what I get. Means: Is this the order of the rules (from top to buttom) in which these rules are evaluated?
And if it is, which rules are used to generate this order?
I need to know this, because I have a problem: I cannot start FTP from the PC protected by CSA, because incoming data channel is prevented by CSA. Therefore, I wrote an exception rule (using wizard) and I modified this rule to allow FTP.exe to accept any incoming TCP connection from any host. I have generated the rules and I have started a poll via Client GUI. In CSAMC the rule is automatically placed in front of rule 335, but it doesn´t work: FTP data is still denied by rule 335.
Does anybody have some helpful hints?
Thanks
Edgar
01-04-2005 10:30 AM
The order in which rules are applied are based on what the rule does (deny, allow, etc..).
This is right out of the help file:
"Add process to application class
Priority 1
High Priority Deny
Priority 2
Allow
Priority 3
Query User (Default Allow)
Priority 4
Query User (Default Deny)
Priority 5
Deny
Priority 6
The priority listings beside each bullet item indicate the manner in which CSA MC processes rules. All priority 1 rules are checked first and priority 6 rules (deny) are checked last and that is only if no other higher priority rules have already been triggered by a system action."
This is also how it looks when multiple policies are assigned to a group. They are combined into a 'super' policy.
If you are having trouble with a rule, try using the wizard to generate the exception.
01-04-2005 11:18 AM
Thanks, that is exactly what I hoped to get. But my rule - which is greated with the exeption wizard - doesn´t work. If have to modify the generated rule, because I want to allow any IP address and any ftp client port used for data channel.
I get the following results:
If I define
If I define
Work means the client accespts the incoming data channel (port 20 to something equal/greater than 1024).
That is strange, because TCP/1024-65535 is not a wrong syntax.
Edgar
01-04-2005 12:00 PM
That's because the host is acting as an FTP server and both initial ports are below 1024. Use network services to define your rule instead of network addresses and it should have all the entries needed..
01-04-2005 03:27 PM
Sorry, I do not understand your advice. What do you mean with "Use network services to define your rule"?
PC with CSA starts FTP. That is port X to 21. Server opens a connection back to the PC. That is port 20 to Y. Therefore, the network access rule
Thanks
Edgar
01-04-2005 05:15 PM
Look under Configuration>Variables>Network Services>FTP. This is what the FTP Network Service should show for FTP communication ports:
Ports used for initial connection:
TCP/21
TCP/990
Ports used for subsequent connections
initiated by the client:
TCP/1024-65535
TCP/989
Ports used for subsequent connections
initiated by the server:
TCP/1024-65535
TCP/ephemeral
TCP/989
If you change the rule to allow the host to act as a server using $FTP in the network services section instead of trying to manually enter the correct ports you will probably have more success.
Give it a try...
01-05-2005 01:56 AM
Sorry, the $FTP doesn´t work as well. The only configuration which works is
This sounds like a serious problem?
Thanks
Edgar
01-05-2005 10:39 AM
No, it sounds like you configured your FTP server to connect back on a different port. Add port 20 to your subsequent server connections and you should be fine. Your event log should be telling you exactly what you need to do.
01-05-2005 02:35 PM
I have fixed the problem: @FTP didn´t work, because I selected server instead of client. That´s because I edited the Exception Wizard rule. The wizard has configured a rule, which doesn´t work because it uses the detected client port for data and this port changes from session to session. Because port 20 to port e. g. 1098 is an incoming connection, the wizard used the server option in the network access rule.
Choosing the client option and an network service @FTP works fine.
Thanks
Edgar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide