Network Access Control

Expand all | Collapse all

Firewall does not filter 192.162.*

  • 1.  Firewall does not filter 192.162.*

    Posted 04-05-2016 10:41 PM

    Hello,

        I've set the firewall to filter unwanted remote desktop access attempts by filtering EventID = 1149 from "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" event log.

        These few days, despite I've added filter range for 192.162.0.0-192.162.255.255 in "Configure firewall rules", it seems the attacker can still access the "supposed to be blocked" port. The rule seems to be able to block access from all other port ranges. Please help me to figure out whether the setting is wrong or else.

    SEP version: 12.1.6168.6000

    OS Version: Win7 x64

    Related log entry:

    Remote Desktop Services: User authentication succeeded:

    User: support_388945a0
    Domain:
    Source Network Address: 192.162.63.214

    Firewall rule (I've set it to be the first rule in filter set):

    1.0.0.0-5.255.255.255,13.0.0.0-14.255.255.255,23.0.0.0-27.255.255.255,31.0.0.0-31.255.255.255,36.0.0.0-50.255.255.255,58.0.0.0-89.255.255.255,91.0.0.0-98.255.255.255,101.0.0.0-125.255.255.255,133.208.22.170,139.196.0.0-139.196.255.255,146.0.0.0-148.255.255.255,151.252.217.30,153.156.44.214,155.94.0.0-155.94.255.255,158.69.33.6,162.0.0.0-168.255.255.255,171.0.0.0-176.255.255.255,177.0.0.0-191.255.255.255,192.162.0.0-192.162.255.255,193.0.0.0-198.255.255.255,200.0.0.0-223.255.255.255,229.249.129.31

     

    Regards,

    Lau Lei Cheong



  • 2.  RE: Firewall does not filter 192.162.*

    Posted 04-06-2016 07:55 AM

    Can you post a screenshot(s) of the rule?



  • 3.  RE: Firewall does not filter 192.162.*

    Posted 04-07-2016 09:45 PM

    Here's the screenshots.

    Btw, I should mention that I only move the rule to the first before I leave work at night in order to make sure it's not the ordering of rule preventing it to work. The "Block suspicious connection" rule contains IP ranges that covers multiple places that I use and also prevents me from connection from home using remote desktop, so I need the first two "Allow" rules to enable me doing that.

    Attachment(s)

    7z
    Firewall.7z   255K 1 version