3 Replies Latest reply on Jul 18, 2014 10:53 AM by Kary Tankink

    HIPS Firewall Group Network Definitions question

    shake_your_hips

      I am a relatively long time ePO admin, but I haven't been able to find this question answered to my satisfaction in the HIPS 8 product guide.  My question is regarding firewall rule groups and how they are processed in relation to rules.

       

      I want to explicitly define networks saved in the catalog at the group level so firewall rules contained in the group with only ports defined use those group defined networks.  For example, if I ONLY add two local and remote networks to a group configuration and don't define anything else, will HIP process the firewall settings in the group as a rule allowing any traffic to and from those networks?

       

      I thought this wouldn't be logical, but I'm unsure.  What I want to happen is something like the following (these are permit not deny):

       

      Rule Group X

      -Local Network A

      -Local Network B

      -Remote Network A

      -Remote Network B

       

      Subrule Q within Group X (no networks defined)

      -Remote Port F

      Subrule R within Group X (no networks defined)

      -Local Port G

      Subrule S within Group X (no networks defined)

      -Local Port Range H-J

      -Remote Port K

       

      I want only the networks defined in the rule group to communicate using the explicitly defined port definitions in the subrules.  One concern is that any port is being allowed at the group level as I am not explicitly defining ports on the group.  I do not want all traffic permitted between the IP's defined in at the group level.

       

      An equal or greater concern is that the subrules are being processed with no networks defined.  I want the networks defined at the group level to be used in the corresponding group's subrules.   I don't want any IP communicating with a host only if the port in the subrule matches.  The network must also match.  I want the networks defined in the group to be used in the subrule.

       

      Can someone enlighten me if defining groups and subrules this way will function as I think it should?  Thanks!

        • 1. Re: HIPS Firewall Group Network Definitions question
          Kary Tankink

          My question is regarding firewall rule groups and how they are processed in relation to rules.

           

          I want to explicitly define networks saved in the catalog at the group level so firewall rules contained in the group with only ports defined use those group defined networks.  For example, if I ONLY add two local and remote networks to a group configuration and don't define anything else, will HIP process the firewall settings in the group as a rule allowing any traffic to and from those networks?


          Group criteria does act as a filter for the rules inside the group  (i.e, if at a group level you specific IPv4 traffic only, then IPv6 rules will be invalid inside this group)  This applies to any of the criteria (Allow/Block, Direction, Application, Protcol, Loca/Remote networks, etc.) specified at the Group level.  The Group criteria doesn't actually ALLOW/BLOCK the traffic, but it's a pre-filter for the firewall rules that will be contained within it (i.e., if you ALLOW ALL at a Group level, you still have to have an ALLOW ALL Firewall rule to actually allow network traffic).

          • 2. Re: HIPS Firewall Group Network Definitions question
            shake_your_hips

            Very helpful Kary!  Thanks.

             

            So basically, I can extrapolate from your answer that what I'm doing will work then?  Specify source/dest networks at the group level, then specify local/remote ports in subrules within the group?

             

            This also leads to another question.  Assuming that the answer to this question is yes, would I need to specify both local and remote ports in subrules in order for them to function?  The reason I ask is because sometimes I see dynamically created rules that in my mind shouldn't exist.  Like source local 1024-66535 to dest remote port XXX.  What I was previously doing is specifying only the remote port.  Should I also be including a local high port range in order to function properly?

             

            This leads to a somewhat related larger question.  I see often times dynamically created rules that exist in the policy and have no need to be created (HIPS 8 Patch 2).  I think I might have isolated this to hosts learning rules upon system start.  Is this a issue with this version of the product that has now been fixed?  Is there another reason this might be happening?  (it isn't a problem with the existing policy.)

            • 3. Re: HIPS Firewall Group Network Definitions question
              Kary Tankink

              So basically, I can extrapolate from your answer that what I'm doing will work then?  Specify source/dest networks at the group level, then specify local/remote ports in subrules within the group?

              Yes, this is possible, but just remember that FW tuning/troubleshooting would include reviewing Group and Rule configuration (not just Rule).

               

               

              This also leads to another question.  Assuming that the answer to this question is yes, would I need to specify both local and remote ports in subrules in order for them to function?

              No, you do not have to specify all details.  If no detail is specified, typically an ANY logic is used (e,g, no LOCAL ports specified = ALL LOCAL ports used).  Be aware that for LOCAL/REMOTE ports you can only specify 4 entries (Single or Range) separated by commas.

               

              Should I also be including a local high port range in order to function properly?

              High range of ports (1024-65535) can be used, and it just limits LOCAL/REMOTE ports to port 1024+.

               

               

              This leads to a somewhat related larger question.  I see often times dynamically created rules that exist in the policy and have no need to be created (HIPS 8 Patch 2).  I think I might have isolated this to hosts learning rules upon system start.  Is this a issue with this version of the product that has now been fixed?  Is there another reason this might be happening?  (it isn't a problem with the existing policy.)
              If Firewall rules are being created in Adaptive mode, then that means there was no existing Firewall rule that matched in the policy.  Rule config is the most likely cause.