Firewall rule not working!

(imported topic written by SystemAdmin)

Hello Bigfix

i’m intented to apply some complex dynamic firewall rules on my clients , and since it is first time to test Bigfix Firewall , i was just testing few simple static rules which unfortunality didn’t work

I’m test applying rule which block all traffic on my test machine ( virtual machine ) and here is the XML file which automatically generated using your wizard

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<Rule id=“NS1” zone=“1” priority=“high” dir=“in_out” prot=“tcp_udp” locport="

" remport="

" remaddr="

" app="

" account=“both” desc=“test_block”>

when i run BESFirewallCtrl.exe filename.xml

i find error in the logfile “BESFirewallCtrl.log”

"Could not change firewall policy. Firewall XML is not formatted correctly "

and when i change manually the UTF coding of the XML file to UTF-16 , the error message change to

" – -1 – Zone must be safe (0) or dangerous (1)

– -1 – That is not a file. "

and i have tried to change the rules or zone configurations but with the same error

i didn’t find any documentation for this command !

Can any one advice how to overcome this problem ?

Thanks

Hamed

(imported comment written by arnaud91)

Hello Ahmed,

Can you give some more details:

  1. BES Component versions

Can you provide:

BES Server version

BES Client version

BES Firewall version

BES Logging Service version

You can find this information in the BES Console, “Computers” tab, by double clicking on the computer on which you are testing the BigFix Firewall.

  1. Is the xml policy file applied? To know this, you will look at this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall

There is a value named “ActivePolicy”. The default value is “default.xml”. If the profile has been applied, this value should provide the full path to the xml file, something like: C:\Program Files\BigFix Firewall\FirewallPolicy\policyname.xml

  1. About the command line to apply the policy, here is the correct syntax:

BESFirewallCtrl.exe -z 0 -p “C:\Program Files\BigFix Firewall\FirewallPolicy\filename.xml”

You have to indicate the full path to the xml file, within double quote.

  1. According to the name of the network card indicated for the interface name in the xml file, it seems that you are testing the BigFix firewall in a wmware. That isn’t a problem, i am just wondering why the name ends with “#2”? Maybe the policy is applied, but your vmware is not using this network card, and so the rules don’t apply.

Regards,

Arnaud

(imported comment written by SystemAdmin)

Hello Arnaud :wink:

1- BES server & Client version are 7.0.9 ( i’ll upgrade soon to the latest version 7.1.1 )

Firewall version : 1.2

Logging service version :i think latest version

2- No the XML policy not applied , and the applied policy is still the default one, Active policy still = “default.xml”

3- yes arnaud i know this syntax , and still giving me the same error message in the log file although the xml files is generated from the Wizard

"Could not change firewall policy. Firewall XML is not formatted correctly "

4- yes i’m testing on virtual machines , and yes the adaptor name’name is " VMware Accelerated AMD PCNet Adapter #2 " !

My questions is

  • do you really sure that such firewall policies can work normally on virtual machines ?

  • Should i defind Zone interfaces names in my policy in order to work correctly ? , i mean if i didn’t define any zones interfaces in my firewall policy , can it work normally on the default adaptor

  • is there any guide for using this command " BESFirewallCtrl.exe " and its errors "

Thanks

Regards

Ahmed Hamed

(imported comment written by arnaud91)

Ahmed,

I tested firewall policies in vmware, it’s working fine.

Could you try to create a rule through the “BigFix Firewall Policy Wizard”, preventing TCP_UDP traffic, but not applying on a specific zone (select *)?

Also, could you export the action that failed (in “Actions” tab, right-click on the action, then export) and include it in your answer?

Regards,

Arnaud

(imported comment written by SystemAdmin)

Arnaud

i did what you have requested and as usual the action complete successfully and the policy not applied , and in the log file " BESFirewallCtrl.log" i can see the same error message

"

Thu, 04 Dec 2008 08:28:10 -0500

– -1 – Could not change firewall policy. Firewall XML is not formatted correctly "

i did export to the Action and here is it

=========================================================================

<?xml version="1.0" encoding="UTF-8"?> BigFix Firewall - Deploy Firewall Policy: Block

(exists key “HKEY_LOCAL_MACHINE\SOFTWARE\CA\HIPSEngine\Products\BigFixFW” whose (exists value “UninstallCmdLine” of it) of registry) AND (name of it = “Win2000” OR name of it = “WinXP” OR name of it = “Win2003” OR name of it = “WinVista” OR name of it = “Win2008”) of operating system

<![CDATA[

if {NOT exists folder ((value “FirewallPolicyPath” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall\ComplianceFirewallMap” of registry) as string)}

delete __appendfile

delete mkdir.bat

appendfile @ECHO OFF

appendfile mkdir “{((value “FirewallPolicyPath” of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall\ComplianceFirewallMap” of registry) as string)}” > NUL 2> NUL

copy __appendfile mkdir.bat

wait “{pathname of client folder of site “BESSupport”}\RunQuiet.exe” mkdir.bat

delete mkdir.bat

endif

delete __createfile

createfile until __Done_With_FileCreation

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<Rule id=“NS1” priority=“low” dir=“in_out” prot=“tcp_udp” locport="

" remport="

" remaddr="

" app="

" account=“both” desc=“Block”>

__Done_With_FileCreation

delete “Block.xml”

move __createfile “Block.xml”

if {exists files ((value “InstallDir” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall” of registry as string) & “FirewallPolicy\Block.xml”)}

move “{(value “InstallDir” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall” of registry as string) & “FirewallPolicy\Block.xml”}” “{(value “InstallDir” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall” of registry as string) & “FirewallPolicy” & (preceding text of first “.xml” of “Block.xml” &”"& ((((year of it as string & (if(length of it<2) then (“0”&it) else it) of (month of it as integer as string) & (if(length of it<2) then (“0”&it)else (it)) of (day_of_month of it as string)) of (date ("+0000" as time zone) of it)) & "" & (((if(length of it<2) then (“0”&it)else it) of (hour_of_day of it as string) & (if(length of it<2) then (“0”&it)else it) of (minute_of_hour of it as string) & (if(length of it<2) then (“0”&it)else it) of (second_of_minute of it as string)) of (time ("+0000" as time zone) of it))) of (parameter “action issue date” of action as time)) & “.xml”)}"

endif

move “Block.xml” “{(value “InstallDir” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall” of registry as string) & “FirewallPolicy\Block.xml”}”

continue if {(exists service “UmxAgent” whose (state of it = “Running”) AND exists service “UmxCfg” whose (state of it = “Running”) AND exists service “UmxFwHlp” whose (state of it = “Running”) AND exists service “UmxPol” whose (state of it = “Running”))}

wait “{(value “InstallDir” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall” of registry as string) & “BESFirewallCtrl.exe”}” -z 0 -p “{(value “InstallDir” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Firewall” of registry as string) & “FirewallPolicy\Block.xml”}”

]]>

false

false

false

false

true

P1DT23H59M5S

false

NoRequirement

AllUsers

false

false

false

false

false

false

true

false

false

=====================================================================

Thanks

Regards

Ahmed Hamed

(imported comment written by arnaud91)

Well… I imported your action in my test platform, and deployed it successfully on a BES Client running in a VMware.

Could you please uninstall and re-install the BigFix Firewall, and test again?

Arnaud

(imported comment written by SystemAdmin)

Ok , thanks Arnaud , it seems that it is machine problem !

i have two last questions and i hope to find any answer with you

1 - When i apply Firewall rule that block all traffic on a client , logically , it should not block the BES client traffic itself on the default port 52311 , am i right ?

i’m asking this question becasue , i found three registry keys called " BESPortOpen " , " BESICMPopen" & " DNSopen " , and as Bigfix say , as long as these registry keys =1 , the traffic should not be blocked even if you have applied rule that block all traffic

2- if i need to make a rule that block only http traffic , should i specify the application"iexplore.exe" & the Port “80” in my rule , or only the Port is enough !

becasue when i specified only the Port " 80 " in the rule , i discovered that the http traffic through the iexplorer is allowd !

Thanks

(imported comment written by arnaud91)

Hi Ahmed,

  1. Exactly. Whatever rule you apply on the firewall, it will always allow BES Traffic. By default, BES traffic, ICMP and DNS are allowed. You can know it by looking at the registry keys you specified. If the value is 1, the traffic is allowed. So even if you apply a “block all” rule, you will be able to modify it through the BES Console.

  2. To block http traffic, you only have to create a rule that prevent outbound traffic on TCP 80 port(and TCP 443 if you also want to block https).

Can you send a copy of the rule you applied, to check if parameters are ok?

Arnaud