Announcement

Collapse
No announcement yet.

CCS Firewall, who uses it? And what is your experience?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CCS Firewall, who uses it? And what is your experience?

    We have a wide variety of customers using CCS/AEP; and all of them are happy with it except when it comes to the firewall section......

    I know this post is subjective and a touchy subject, but we would like to get some honest feedback on: -
    1. Do you use the firewall?
    2. Do you have issues with the firewall?
    3. What would you like from the firewall?
    4. Would you like the firewall replaced with "Windows Application Firewall" & "IPTables" Management instead?
    Robin
    Director
    Strobe Technologies Ltd
    https://www.strobe-it.co.uk/

  • #2
    here are our answers: -

    Do you use the firewall?
    We do on about 30% of the clients, but this is reducing all the time due to constant issues.


    Do you have issues with the firewall?
    Yes, lots of issues; here are a few..
    • Cannot create simple easy rules as control panel profile settings too complicated.
    • Basic functions like Peer-to-Peer printer and file sharing does not work.
    • When firewall is working; you often cannot get DOS/CLI or other applications to be allowed to access network (other components accept allow rules)
    • Network card driver updates can kill the firewall requiring a reboot or re-install of CCS


    What would you like from the firewall?
    A firewall that gives you a simple and complete configuration setup like a firewall should.
    So for instance you create an inbound for a pre-defined service like FTP or a port like TCP 21.
    Obviously you need to be able to create services, so for instance 3CX telephone server requires port TCP 5001 for management and many others for calls. You could create a 3CX service which has many requirements on TCP, UDP and ICMP etc.

    Rules should allow you to specify local network (trusted as in Windows configured as Home or Home, not public) allowing rules to be applied across many different businesses with ease.


    Would you like the firewall replaced with "Windows Application Firewall" & "IPTables" Management instead?
    Being honest, yes!
    I say this has Linux Community and Microsoft know their networking stacks better than antivirus companies.
    Having your AV company manage and deploy rules into these firewalls would be an excellent move as you know your not going to get any conflicts taking down your business networks.



    At the end of the day; I do not mind Comodo firewall if it worked 100% as it was configured and actually had the ability to be configured well/correctly.
    Robin
    Director
    Strobe Technologies Ltd
    https://www.strobe-it.co.uk/

    Comment


    • #3
      Just disabled the firewall via the profile on all our clients until the problem with CCS 11.2 is sorted (obv not ideal).. This issue has made me consider if the firewall is worth reenabling due to concern of apparent recurring issues with it.
      Last edited by Ed_Johnson; 04-15-2019, 09:28 PM.

      Comment


      • #4
        Would this effect a Mac client who isnt running CCS somehow?

        Comment


        • #5
          Velvis ,

          This will not. Our Development Team confirmed that this issue only affects Windows Endpoints.

          Comment


          • #6
            This pretty much echo's the responses above but here is some feedback
            1. Do you use the firewall?
              1. No even in testing there were too many problems (either stability or performance)
            2. Do you have issues with the firewall?
              1. Anytime I have used it (one Windows 10, 7, Server 2008/2016) the biggest issue was a huge hit to performance. Honestly CCS by itself really hurts performance especially endpoints with HDD vs SDD. Often, any slight change to the NIC (and even firewall settings themselvs) would cause it to hang up/freeze the NIC. Uninstalling is also hit and miss. I always have to use the removal tool.
            3. What would you like from the firewall?
              1. I don't believe the firewall is a good feature of CCS just as their has been to much history of issues. Configuration intuitiveness isn't great, though I've seen worse. Even if these issues are fixed, it will take a long time to rebuild trust in it staying that way. I think development should be shifted to just the application layer security as this is were Comodo shines (aside from performance, which could be improved). I prefer to use the windows firewall as it is sufficient when combined with CCS w/firewall off. I don't think this issue is limited to Comodo though, I don't have a lot of success with application firewalls regardless of vendor. Some better than others. I think this is a case of Windows own built-in option being the most stable and effective enough, at least in my usage scenerio's.
            4. Would you like the firewall replaced with "Windows Application Firewall" & "IPTables" Management instead?
              1. This I believe to be a great idea. Honestly I can't think of another RMM product that does this, at least without scripts or some convoluted process. Would be a fantastic addition to remote tools and profiles. +1

            Comment


            • #7
              Comodo are rolling back to last months version (v11.1) which still had issues when we used it, but according to release notes it is fixed.

              Who will be risking their business going offline to test?
              Robin
              Director
              Strobe Technologies Ltd
              https://www.strobe-it.co.uk/

              Comment


              • #8
                I cant believe this.. they are rolling back AGAIN?? I already have 20% of my endpoints with the firewall disabled.. may as well just push that profile out to all endpoints.

                Why dont they just release a newer version of CCS with 11.1 as the core. Would be far simpler than having to remove ccs from endpoints and then having to reinstall an older version.

                For anyone interested.. we have an identical profile to our default one, but with the firewall disabled and the ccs taskbar icon hidden so as not to panic our clients with the big red X.. This is prob the best option as the windows security dashboard will report the security as all well and the windows firewall as active. Less chance of a client panicing over warning from ccs that it needs fixing.. Of course if they manually open the ccs client it will still say it needs fixing. But much less chance this way of upsetting the clients.

                Comment


                • #9
                  StrobeTech , Ed_Johnson , Velvis eztech ,

                  Hi Everyone,

                  Our Development Team would like to confirm that the issue will be resolved this Saturday's release. We welcome any discussions further with the New CCS release. Please note that the CCS will not be reverted nor rolled back to an older version. As stated previously on June release notes APPENDIX-1 . Only the firewall will be reverted back to 11.1 as explained under Connectivity Issues Regarding CCS v11.2 section. We hope clarifies your queries.
                  Last edited by Jimmy; 06-06-2019, 03:45 PM.

                  Comment


                  • #10
                    Yes, it is only the firewall module....
                    But we have had issues on and off with the firewall since V10.

                    I'm hopefully going to test having no firewall tab in my profile again as discussed with Dev to see if this successfully removes the firewall and warnings.

                    If this does I'll let everyone know as I know we will be then looking to do this by default until a new firewall system is introduced.
                    Robin
                    Director
                    Strobe Technologies Ltd
                    https://www.strobe-it.co.uk/

                    Comment


                    • #11
                      Interested in seeing if this removes the warnings from CCS.

                      Mark
                      CIO
                      Coastal Network Solutions
                      https://www.Coastal-NS.com/

                      Comment


                      • #12
                        We have rolled this policy to a handful of devices and so far this has successfully done what is needed which never used to happen.

                        The experience we have seen so far is: -
                        * Tray icon is Comodo C not an X
                        * Opening application shows green box saying protected
                        * Expanding application state does not list firewall to turn on or off
                        * Endpoint Manager shows the device with a white box for FW as in not installed instead of grey for disabled
                        * Endpoint Manager shield shows as green for protected instead of red or yellow


                        Due to this disabled option now doing what it is designed to, we have started rolling this as our default policy.

                        Hopefully this information helps.

                        Robin
                        Director
                        Strobe Technologies Ltd
                        https://www.strobe-it.co.uk/

                        Comment


                        • #13
                          Hi Robin.. can you elaborate a little.. what did you changed in the profile policy to achieve this?? Which version of EM and CCS?
                          Last edited by Ed_Johnson; 06-10-2019, 07:33 AM.

                          Comment


                          • #14
                            Hi Ed_Johnson

                            I cloned my profile so I could test it on some machines.

                            I then edited the profile and done the following :-
                            1. Select firewall tab from profile
                            2. Click on delete button

                            Once I did that I assigned it to a few computers which was successful and saw networking and VPN traffic speed up dramatically as well as all the bits listed above.

                            We are now changing the profile slowly across our clients. We are doing it this way so we still have a configured firewall version just in case.
                            Robin
                            Director
                            Strobe Technologies Ltd
                            https://www.strobe-it.co.uk/

                            Comment


                            • #15
                              Hi Robin..

                              I can confirm this works perfectly so far. The same procedure works for that pesky Containment. Although I really do not want to disable containment we have some clients where trusting applications simply does not work and I cant get them to work any other way than disabling containment.

                              Specifically... Farmplan. Gatekeeper. Articad. Easyquote.. and anything with sentinal dongle.

                              So I now have three clones of my standard Windows profile.. one with Firewall disabled.. one with Containment disabled and one with both disabled.. all report CCS running perfectly with no red warnings.

                              Comment

                              Working...
                              X