4 Replies Latest reply on Nov 15, 2009 10:14 AM by JeffGerard

    Connection Aware Groups- Rules above CAGS, and CAGS above CAGS

      Hi all.

      apologies for the weird title. It does though, explain my question.


      With regards to Firewall rules for Connection Aware Groups (CAGS) in Host Intrustion Prevention, McAfee states that you should place any fudamentel rules you require for connectivity ABOVE the CAG, as once a connection is found, that belongs to a CAG, it will only process rules in the CAG and ABOVE ONLY.

      For example, if you create a VPN connection for connectivity from a wireless hotspot, you create rules for establishing the initial network connectivity and for the VPN tunnel, and then, below this, create the CAG for the virtual VPN adapter, and the rules you want associated with the CAG.

      No problems so far.

      My question is this, does this mean that as soon as ANY adapter matches a connection aware group, NO traffic on ANY INTERFACE ever gets the chance to go below that CAG and possibly match another CAG below the CAG in operation?


      For example.


      I have my basic network rules setup at the top.
      I have a CAG for Coporate LAN connectivity, with all IP traffic allowed
      I have a CAG for VPN Connectivity with all IP traffic allowed
      I have a CAG for ActiveSync device (which created a virtual adapter with only certain network traffic allowed.

      If i have it in this order, does this mean that when i connect to the coporate LAN and the adapter matches that CAG, that my active sync device will NOT work, ie, traffic will not get a chance to match the CAG below the Corporate LAN CAG as that CAG is currently in operation.

      OR

      Does it just mean that 'for traffic that does not match any other CAG, and it does not match a rule above the CAG which is in operation, it is disregarded'?

      I would just test it, but it will take me a while to configure up another activesync/pda pc. My users gone walk about.

      cheers

      J