We have a wide variety of customers using CCS/AEP; and all of them are happy with it except when it comes to the firewall section…
I know this post is subjective and a touchy subject, but we would like to get some honest feedback on: -
here are our answers: -
Do you use the firewall?
We do on about 30% of the clients, but this is reducing all the time due to constant issues.
Do you have issues with the firewall?
Yes, lots of issues; here are a few…
What would you like from the firewall?
A firewall that gives you a simple and complete configuration setup like a firewall should.
So for instance you create an inbound for a pre-defined service like FTP or a port like TCP 21.
Obviously you need to be able to create services, so for instance 3CX telephone server requires port TCP 5001 for management and many others for calls. You could create a 3CX service which has many requirements on TCP, UDP and ICMP etc.
Rules should allow you to specify local network (trusted as in Windows configured as Home or Home, not public) allowing rules to be applied across many different businesses with ease.
Would you like the firewall replaced with “Windows Application Firewall” & “IPTables” Management instead?
Being honest, yes!
I say this has Linux Community and Microsoft know their networking stacks better than antivirus companies.
Having your AV company manage and deploy rules into these firewalls would be an excellent move as you know your not going to get any conflicts taking down your business networks.
At the end of the day; I do not mind Comodo firewall if it worked 100% as it was configured and actually had the ability to be configured well/correctly.
Just disabled the firewall via the profile on all our clients until the problem with CCS 11.2 is sorted (obv not ideal)… This issue has made me consider if the firewall is worth reenabling due to concern of apparent recurring issues with it.
Would this effect a Mac client who isnt running CCS somehow?
@Velvis ,
This will not. Our Development Team confirmed that this issue only affects Windows Endpoints.
This pretty much echo’s the responses above but here is some feedback
Comodo are rolling back to last months version (v11.1) which still had issues when we used it, but according to release notes it is fixed.
Who will be risking their business going offline to test?
I cant believe this… they are rolling back AGAIN?? I already have 20% of my endpoints with the firewall disabled… may as well just push that profile out to all endpoints.
Why dont they just release a newer version of CCS with 11.1 as the core. Would be far simpler than having to remove ccs from endpoints and then having to reinstall an older version.
For anyone interested… we have an identical profile to our default one, but with the firewall disabled and the ccs taskbar icon hidden so as not to panic our clients with the big red X… This is prob the best option as the windows security dashboard will report the security as all well and the windows firewall as active. Less chance of a client panicing over warning from ccs that it needs fixing… Of course if they manually open the ccs client it will still say it needs fixing. But much less chance this way of upsetting the clients.
@StrobeTech , @Ed_Johnson , @Velvis @eztech ,
Hi Everyone,
Our Development Team would like to confirm that the issue will be resolved this Saturday’s release. We welcome any discussions further with the New CCS release. Please note that the CCS will not be reverted nor rolled back to an older version. As stated previously on June release notes APPENDIX-1 . Only the firewall will be reverted back to 11.1 as explained under Connectivity Issues Regarding CCS v11.2 section. We hope clarifies your queries.
Yes, it is only the firewall module…
But we have had issues on and off with the firewall since V10.
I’m hopefully going to test having no firewall tab in my profile again as discussed with Dev to see if this successfully removes the firewall and warnings.
If this does I’ll let everyone know as I know we will be then looking to do this by default until a new firewall system is introduced.
Interested in seeing if this removes the warnings from CCS.
Mark
CIO
Coastal Network Solutions
https://www.Coastal-NS.com/
We have rolled this policy to a handful of devices and so far this has successfully done what is needed which never used to happen.
The experience we have seen so far is: -
Due to this disabled option now doing what it is designed to, we have started rolling this as our default policy.
Hopefully this information helps.
Hi Robin… can you elaborate a little… what did you changed in the profile policy to achieve this?? Which version of EM and CCS?
Hi @Ed_Johnson
I cloned my profile so I could test it on some machines.
I then edited the profile and done the following :-
Once I did that I assigned it to a few computers which was successful and saw networking and VPN traffic speed up dramatically as well as all the bits listed above.
We are now changing the profile slowly across our clients. We are doing it this way so we still have a configured firewall version just in case.
Hi Robin…
I can confirm this works perfectly so far. The same procedure works for that pesky Containment. Although I really do not want to disable containment we have some clients where trusting applications simply does not work and I cant get them to work any other way than disabling containment.
Specifically… Farmplan. Gatekeeper. Articad. Easyquote… and anything with sentinal dongle.
So I now have three clones of my standard Windows profile… one with Firewall disabled… one with Containment disabled and one with both disabled… all report CCS running perfectly with no red warnings.
You don’t have to support farmplam do you, nasty program. We have that working through containment with no issues, but a pain to get right frost time.
Also have sentinal as well working with no issues.
Would be interestibg to see how your allowing them as something not right.
We have quite a few clients with farmplan, fortunatelly only a couple of them on the Itarian platform and running ccs. But no… still dont have any of those programs working with ccs properly… It has been necesary to have Containment and Firewall tabs removed in all those endpoints. I will be visiting a client Monday to run the Unknown file utility to try and get farmplan working as this client owns a number of farms in the area and is expecting me to sort it or replace ccs.
I wonder if it is worth trying to get a remote session with you to get this working 100%
I know some apps and systems can be a pain but once you have the right paths and variables setup it should be a simple trust and done.
If you want to talk please feel free to message me direct on robin@strobe-it.co.uk
Had the dreaded firewall problem rear its head again today… fortunately on one of our own endpoints… running the latest EM(19060) with latest CCS(7495). A simple reboot on the machine resulted in no internet. Disabled the firewall driver in adapter settings and all sprung back to life. enabled and rebooted… same again. No idea what triggered it but we have recently upgraded this endpoint to W10 1903. All our other endpoints are running the exact same setup with no issue so far.
We have decided the only option is to take Robins suggestion of deleting the firewall tab as standard in all new endpoints via a new default profile. We already have this profile running on prob 20% of our clients endpoints successfully. I just hope that Comodo dont now do something crazy resulting in the removed tab causing some other problem. Hope you’re taking note Comodo.
Hi @Ed_Johnson ,
We have indeed raised your issue with engineering and we are awaiting their investigation on your report the soones time possible. Please give us some time to an answer to you on this. We will be in touch shortly.