Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

New action "continue" in the firewall rule

Created: 02 Mar 2012 • Updated: 05 Mar 2012 | 10 comments
Fdaniel's picture
2 Agree
0 Disagree
+2 2 Votes
Login to vote
Status: In Review

I would like the feature to set action to “Continue” or similar in the SEPM firewall policy. This is needed when you for example want to log the usage of an application and also want the application to continue to process the rest of the rules until it get a hit in the policy.

Comments 10 CommentsJump to latest comment

NRaj's picture

I believe that is how it is designed now. If you choose log, it will log the application usage and continue to process the other rules.

0
Login to vote
Fdaniel's picture

But you need to choose either block or allow on the action for the rule?

0
Login to vote
NRaj's picture

Under action you choose to block or allow. Then under loggin, you can write to the logs(traffic / packet).

If you have to choose block, there is no point in going further with the remaining rules. If it is allowed, it will process the remaining rules.

Also note that the order of the rules take precedence.

Hope i am clear.

0
Login to vote
Fdaniel's picture

Ahh, ok. I didnt know that the firewall continued to process the other rules when it got an "allow". 

0
Login to vote
Elisha's picture
 the firewall continued to process the other rules when it got an "allow" 

This is not true!  Once a rule is triggered, whether it is an allow or a block the firewall will stop processing rules at that point.  Once the traffic is allowed or blocked there is no need to continue processing the rule set.

The "continue" action would be needed for cases where you want to log specific traffic regardless of whether it was blocked or allowed by the ruleset below.  I can understand the theoretical use case for this.  However I have never seen a real use case for this.

Can you detail your firewall policy and how a "continue" action would be used?

0
Login to vote
i09172's picture

Actually, it does appear to be true. I set a rule to Allow and application for a specific DNS Host name (let's say "Client-1" and another Block rule following it to block that same application for all clients on that LAN and the Block rule was processed. The application would not run on "Client-1".

0
Login to vote
Fdaniel's picture

In our rules, we have an ”allow all outgoing” rule. Beneath this, we specify all applications etc. which we allow incoming traffic for, ex incoming traffic on port 135 against outlook.exe.

One example where we want to log the traffic and continue to process the rules is when you in the top of the policy uses the suggested idea “LOG traffic” for an specific exe or similar. After this, you can specify if you like to block or allow this traffic, however you knows if any traffic is communicating on the given rule.

One this way you can see when you open up for RDP on 3389 from some certain servers against the clients in a rule and need to know if svchost.exe or ntoskrnl.exe will allow the RDP traffic instead of the “3389 rule” by logging the svchost ant ntoskrnl rules. Does this make sense? :)

0
Login to vote
Elisha's picture

Yes, that makes sense.  I can understand how the continue rule would make this easier.  However the cases you mention could be solved without the continue action.

Let's take the RDP example. If you create a rule at a higher priority to allow svchost.exe and ntoskrnl.exe on port 3389 and log the traffic.  Then in a lower priority rule you could allow all traffic on port 3389 to any application.  This would give you the same results as that requested by the continue action.

0
Login to vote
Fdaniel's picture

Elisha, if you get a hit in the “higher priority” on allow and log, it will not continue to process the rule and therefor, a lower priority rule would not work.

To make it more understandable, I want it to work more like the Application and Device Control policy. There you have the option “Continue to processing other rules” and the possibility to "Enable logging".

0
Login to vote
Elisha's picture

Ok, thanks for your comments on this.  I understand the use case.

0
Login to vote