Am I misunderstanding KES Firewall and Policy Profiles?

[HallFS]

Hi Kaspersky Community!

I work for a Kaspersky reseller and I’ve prepared a lab environment for future demonstrations of the Kaspersky Endpoint Security capabilities and features for our customers. Actually I started dealing with Kaspersky Endpoint Security recently and I’m liking it a lot.

What I was trying to do was simplify the application of polices that need minor changes from one machine to another and for that I thought using policy profiles would be a good choice.

For instance, in my environment I deployed some machines with Windows 10 and installed the KES 11.6. (I’m also using KSC 13). I created rules to automatically tag those machines based on their IP addresses. Worked perfectly. I also created a policy profile that have to be applied for any machine with determined tag (no problems with that too).

On the main policy of the KES, I’ve defined that it has to block any incoming traffic to Remote Desktop Services (3389) and I created a police profile that allows traffic to this port depending on the remote IP address. Unfortunately it doesn’t worked as expected. It’s simply ignoring completely the policy profile and applying the packet filtering table of the main police, even with the device being marked as having the police profile applied on it.

My intention with that is to be able to demonstrate to the customer that he doesn’t need to create multiple groups and multiple polices and that he can just can tag automatically his machines and apply different policy profiles accordingly with those tags.

A strange behavior that I also have been experiencing is that when I allow traffic on the port 3389 only for a specific IP address (192.168.1.160 in the evidence) on the main policy it allows traffic incoming from any IP address.

I’m working with those rule lists the same way I work with as usual firewall. On the first rule I allow all outgoing traffic, on the middle I define the allowed incoming traffic and in the last rule I block all incoming traffic that doesn’t match the previous rules. Is the order of the rules relevant for the Kaspersky firewall or it behaves like a Windows Firewall that doesn’t care about the order. Am I doing this correctly or Am I misinterpreting the way KES firewall works?

I’m also sending some captures of what I’ve experienced in my environment and my current configuration and I hope someone that have faced similar challenge can give me some glance of what is going on here. 

Thanks you for your time and attention! I’ll really appreciate it.

[aehrlich]

Kaspersky firewall logic has always been not too easy to understand.

Overall, you are right -- the order of the rules matters, they are applied top-down. But there are different kinds of rules that “interfere”, for example, “trusted network” rules, and making networks trusted (or untrusted) could be magic, even in KSC-backed setups (not to talk about standalone KES).

So please do review both.

Some mysterious issues have also occurred historically with the Kaspersky firewall (like some kind of traffic just stopped after either Kaspersky or Microsoft or both updates, or like non-manageable time-to-live of tcp sessions in the internal sessions table resulting into Oracle connections being dropped, for example).