CCS Firewall, who uses it? And what is your experience?

We have a wide variety of customers using CCS/AEP; and all of them are happy with it except when it comes to the firewall section…

I know this post is subjective and a touchy subject, but we would like to get some honest feedback on: -

  • Do you use the firewall?
  • Do you have issues with the firewall?
  • What would you like from the firewall?
  • Would you like the firewall replaced with "Windows Application Firewall" & "IPTables" Management instead?

here are our answers: -

Do you use the firewall?
We do on about 30% of the clients, but this is reducing all the time due to constant issues.

Do you have issues with the firewall?
Yes, lots of issues; here are a few…

  • Cannot create simple easy rules as control panel profile settings too complicated.
  • Basic functions like Peer-to-Peer printer and file sharing does not work.
  • When firewall is working; you often cannot get DOS/CLI or other applications to be allowed to access network (other components accept allow rules)
  • Network card driver updates can kill the firewall requiring a reboot or re-install of CCS

What would you like from the firewall?
A firewall that gives you a simple and complete configuration setup like a firewall should.
So for instance you create an inbound for a pre-defined service like FTP or a port like TCP 21.
Obviously you need to be able to create services, so for instance 3CX telephone server requires port TCP 5001 for management and many others for calls. You could create a 3CX service which has many requirements on TCP, UDP and ICMP etc.

Rules should allow you to specify local network (trusted as in Windows configured as Home or Home, not public) allowing rules to be applied across many different businesses with ease.

Would you like the firewall replaced with “Windows Application Firewall” & “IPTables” Management instead?
Being honest, yes!
I say this has Linux Community and Microsoft know their networking stacks better than antivirus companies.
Having your AV company manage and deploy rules into these firewalls would be an excellent move as you know your not going to get any conflicts taking down your business networks.

At the end of the day; I do not mind Comodo firewall if it worked 100% as it was configured and actually had the ability to be configured well/correctly.

Just disabled the firewall via the profile on all our clients until the problem with CCS 11.2 is sorted (obv not ideal)… This issue has made me consider if the firewall is worth reenabling due to concern of apparent recurring issues with it.

Would this effect a Mac client who isnt running CCS somehow?

@Velvis ,

This will not. Our Development Team confirmed that this issue only affects Windows Endpoints.

This pretty much echo’s the responses above but here is some feedback

  • Do you use the firewall?
    • No even in testing there were too many problems (either stability or performance)
  • Do you have issues with the firewall?
    • Anytime I have used it (one Windows 10, 7, Server 2008/2016) the biggest issue was a huge hit to performance. Honestly CCS by itself really hurts performance especially endpoints with HDD vs SDD. Often, any slight change to the NIC (and even firewall settings themselvs) would cause it to hang up/freeze the NIC. Uninstalling is also hit and miss. I always have to use the removal tool.
  • What would you like from the firewall?
    • I don't believe the firewall is a good feature of CCS just as their has been to much history of issues. Configuration intuitiveness isn't great, though I've seen worse. Even if these issues are fixed, it will take a long time to rebuild trust in it staying that way. I think development should be shifted to just the application layer security as this is were Comodo shines (aside from performance, which could be improved). I prefer to use the windows firewall as it is sufficient when combined with CCS w/firewall off. I don't think this issue is limited to Comodo though, I don't have a lot of success with application firewalls regardless of vendor. Some better than others. I think this is a case of Windows own built-in option being the most stable and effective enough, at least in my usage scenerio's.
  • Would you like the firewall replaced with "Windows Application Firewall" & "IPTables" Management instead?
    • This I believe to be a great idea. Honestly I can't think of another RMM product that does this, at least without scripts or some convoluted process. Would be a fantastic addition to remote tools and profiles. +1

Comodo are rolling back to last months version (v11.1) which still had issues when we used it, but according to release notes it is fixed.

Who will be risking their business going offline to test?

I cant believe this… they are rolling back AGAIN?? I already have 20% of my endpoints with the firewall disabled… may as well just push that profile out to all endpoints.

Why dont they just release a newer version of CCS with 11.1 as the core. Would be far simpler than having to remove ccs from endpoints and then having to reinstall an older version.

For anyone interested… we have an identical profile to our default one, but with the firewall disabled and the ccs taskbar icon hidden so as not to panic our clients with the big red X… This is prob the best option as the windows security dashboard will report the security as all well and the windows firewall as active. Less chance of a client panicing over warning from ccs that it needs fixing… Of course if they manually open the ccs client it will still say it needs fixing. But much less chance this way of upsetting the clients.

@StrobeTech , @Ed_Johnson , @Velvis @eztech ,

Hi Everyone,

Our Development Team would like to confirm that the issue will be resolved this Saturday’s release. We welcome any discussions further with the New CCS release. Please note that the CCS will not be reverted nor rolled back to an older version. As stated previously on June release notes APPENDIX-1 . Only the firewall will be reverted back to 11.1 as explained under Connectivity Issues Regarding CCS v11.2 section. We hope clarifies your queries.

Yes, it is only the firewall module…
But we have had issues on and off with the firewall since V10.

I’m hopefully going to test having no firewall tab in my profile again as discussed with Dev to see if this successfully removes the firewall and warnings.

If this does I’ll let everyone know as I know we will be then looking to do this by default until a new firewall system is introduced.

Interested in seeing if this removes the warnings from CCS.

Coastal Network Solutions

We have rolled this policy to a handful of devices and so far this has successfully done what is needed which never used to happen.

The experience we have seen so far is: -

  • Tray icon is Comodo C not an X
  • Opening application shows green box saying protected
  • Expanding application state does not list firewall to turn on or off
  • Endpoint Manager shows the device with a white box for FW as in not installed instead of grey for disabled
  • Endpoint Manager shield shows as green for protected instead of red or yellow

Due to this disabled option now doing what it is designed to, we have started rolling this as our default policy.

Hopefully this information helps.

Hi Robin… can you elaborate a little… what did you changed in the profile policy to achieve this?? Which version of EM and CCS?

Hi @Ed_Johnson

I cloned my profile so I could test it on some machines.

I then edited the profile and done the following :-

  1. Select firewall tab from profile
  2. Click on delete button

Once I did that I assigned it to a few computers which was successful and saw networking and VPN traffic speed up dramatically as well as all the bits listed above.

We are now changing the profile slowly across our clients. We are doing it this way so we still have a configured firewall version just in case.

Hi Robin…

I can confirm this works perfectly so far. The same procedure works for that pesky Containment. Although I really do not want to disable containment we have some clients where trusting applications simply does not work and I cant get them to work any other way than disabling containment.

Specifically… Farmplan. Gatekeeper. Articad. Easyquote… and anything with sentinal dongle.

So I now have three clones of my standard Windows profile… one with Firewall disabled… one with Containment disabled and one with both disabled… all report CCS running perfectly with no red warnings.

You don’t have to support farmplam do you, nasty program. We have that working through containment with no issues, but a pain to get right frost time.

Also have sentinal as well working with no issues.

Would be interestibg to see how your allowing them as something not right.

We have quite a few clients with farmplan, fortunatelly only a couple of them on the Itarian platform and running ccs. But no… still dont have any of those programs working with ccs properly… It has been necesary to have Containment and Firewall tabs removed in all those endpoints. I will be visiting a client Monday to run the Unknown file utility to try and get farmplan working as this client owns a number of farms in the area and is expecting me to sort it or replace ccs.

I wonder if it is worth trying to get a remote session with you to get this working 100%

I know some apps and systems can be a pain but once you have the right paths and variables setup it should be a simple trust and done.

If you want to talk please feel free to message me direct on

Had the dreaded firewall problem rear its head again today… fortunately on one of our own endpoints… running the latest EM(19060) with latest CCS(7495). A simple reboot on the machine resulted in no internet. Disabled the firewall driver in adapter settings and all sprung back to life. enabled and rebooted… same again. No idea what triggered it but we have recently upgraded this endpoint to W10 1903. All our other endpoints are running the exact same setup with no issue so far.

We have decided the only option is to take Robins suggestion of deleting the firewall tab as standard in all new endpoints via a new default profile. We already have this profile running on prob 20% of our clients endpoints successfully. I just hope that Comodo dont now do something crazy resulting in the removed tab causing some other problem. Hope you’re taking note Comodo.

Hi @Ed_Johnson ,

We have indeed raised your issue with engineering and we are awaiting their investigation on your report the soones time possible. Please give us some time to an answer to you on this. We will be in touch shortly.