How to set optimum settings in ZA Pro?

Stem has suggested I start this thread. So this is a 1st post.

One request I have, please don't use the thread as a ZA /Checkpoint bashing opportunity. Stem I'm sure doesn't have the time deal with all that stuff which achieves nothing on a technical knowledge level.

So please restrict posts to technical content questions and answers please!

See 3 attached posted images of the options screens. I have put the following questions to start the ball rolling.

(1) Main Firewall.

What setting should user set Internet zone security?​

What is custom used for and how to approach using it?​

(2) Zones

How to determine what IP's and sites to put into the Trusted Zone?​

How to determine what IP's and sites to put into the Internet zone? Zone?​

(3) Expert

Is it required to use/set expert rules for ZA Pro? Why?​

If so can you provide a proven tested default set?​

 

Hello,

You should start with defaults and slowly expand.
Trusted zone might include network computers, if there are any such.

1. Leave as is. Custom means tweaking certain options in between settings.

2. IP address, type ipconfig /all (Start > Run > cmd).
Here you can see your IP. If you wish to allow other computers on your network to have access, you can define as trusted, either by single IP ro a range.

3. Expert rules are just manual rules, mainly for applications that need server rights, like P2P, Skype and such.

Mrk

 

1) Main Firewall
-The Internet Zone should always be put to high. There is usually no reason to decrease the level
-The custom button for the Internet and trusted zone is used to make more technical adjustments to some of the firewall rules. For example you could allow ZA to allow ICMP pings through or not. In normal cases, ICMP pings are blocked in the internet zone(provided its on the default setting of high) while they are allowed in the trusted zone (provided its on the default setting of medium).

2)Zones
-If you are on a home or office network and share printers and files over the LAN connection, you should put the network in the trusted zone. If you don't have a network or don't share stuff, nothing should be there. The only exception is the loopback adapter(127.0.0.1) which should be placed in the trusted zone.
-If you are on a local area network, ZA will automatically detect it. A wizard may pop up (depending on your setting) asking you which zone you wished to put the network in. Even if the wizard does not pop out, you can adjust the zone in the zone list. Remember IPs that you know you can trust can go into the trusted zone. IPs from say public hotspots should remain in the internet zone.

3)Expert Rules
-Users are not required to set expert rules in ZA. Usually trusted programs are installed into one's computer and if you really trust them, there should be no reason for you doubt them and create specific boundaries for these programs apart from the program permission in the program list. Of course there are those worry warts who would still like to have fine control of their programs as if the "supposedly trusted" programs they install may turn rogue. Setting expert rule may also complicate troubleshooting when you are trying to determine which aspect of your rule and settings is not right.
-If user requires fine control such as which time a program is only allowed to access with the internet, what protocol is allowed, who the program is only allowed to communicate too, then a expert rule is used.
-My recommendation: Absolutely no reason to touch expert rules if the programs you install are those that you trust (which you should anyway before you installed it). If you need to give a program server rights or access only to a certain zone, they can be easily done through ZA"s program list.

 

Just to add for now,
You are basing "Expert rules" as you would with "PCtools firewall" where a set of rules are in place for the full system/all applications. Yes, this can be done in the "Expert settings" you show, and rules placed here will over-ride all others. But, there is also the possibility of adding rules per application, if you go into "Program control / programs" and right click an application -> options

 

Hi!
I don't know if you are aware of Hoov site, if not here you have. http://www.donhoover.net . There are some useful guidance on expert rules and other ZA related issues (e.g. trusted/internet).

And here you find some basic examples for expert rules:
http://zonealarm.donhoover.net/examples.html

Cheers,
Fax

 

It can of course be viewed from that personal stand point. We all have our own viewpoint. My suggested to "Escalader" to start this thread was mainly to learn. "Escalader" has shown interest in learning firewall rules/setup, so why not start with a firewall that is already know to them.
With ZA pro, rules per application can be made, all these rules can be logged, including (or just) a blocking rule, which can show any possible blocked connections/packets (which may be causing problems), as this can be done one application at a time, I dont see a major problem doing this.

 

Thanks Stem for pointing out this difference. I was going to stay in FW section of ZA first, then move to the application section next.

So then I ask this what does the ZA Pro user do in FW section and what in the Program setting section?

Let's leave expert settings to much later in both ZA sections since I would prefer only to use expert rules for exceptions that the all standard ZA options cannot handle. My PC can't be that unique so any learning here is of potential value to all FW users.

In my ideal world, I would never need to create any expert rules for any FW.
But since that is unrealistic, lets optimize ZA Pro first using it's standard options during setup and early use. Then at the end say, what's missing and fix those exceptions only with expert rules.

I'm going to wait a bit for more post contribution then I'll foolishly summarize what I think the answers are to my own questions for the experts here to either validate or correct. I'm not concerned with my own since this is a learning thread and I hope not just for me alone I'm only one member.

Fax, thanks for the link www.donhoover.net. Seem to remember that link. Can you make a post on these questions from your own experience?

 

While I encourage people to learn about expert rules, there is a reason why they are called "expert". From my experiences helping out in the ZL forums, alot of people using expert rules can't get them to work correctly because they usually don't fully understand the basis for expert rules and how it works. This usually results in a misconfiguration in their expert rules or program settings.

Remember that expert rules do not bring added security. Its just a way to give people more reign over their programs. As mentioned I just don't see the point in that unless you are incredibly paranoid.

Hoov's site is a great reference place. He is a guru on the ZL forum. He used to post there frequently but now the CastleCops ZA forum keeps him pretty busy.

 

Hi!
to be honest I personally leave SmartDefence ON and rely on automatic settings by ZA central database.

I beleive that there are basically three approaches to firewall settings:

1. Higher compatibility: Leave ZA decide best settings for applications. And set custom rules (not expert rules) for application that are unknow to ZA database (based on application needs).
2. Stricter control: Analyse you application list under program control and modify applications that have been given Server rights to the internet into '?' or 'X'. Enable Privacy control including mobile control and allow mobile code only for trusted site.
3. Security Conscious/Stressed (formerly called Paranoid ): Use experts rules to limit the ports that an application can use. Only hhtp for Web broswsers, pop/smtp/IMAP for mail clients, etc...

And for Trusted/Untrusted:

1. Higher compatibility: Set your LAN as trusted.
2. Stricter control: Set your LAN as Internet and add only your router and PCs IPs in your LAN (if they need to access to your system/printer/etc..) to the trusted zone.

To sum-up, my experience is that is much more important to restrict web resources (activex, javascript, etc..) then to close down the firewall...

Hope this helps
Fax

 

Hi:

The following block occurred this AM. The source IP address is my own PC on the router? How do I get this stopped or do I even want to? It logged it for some reason.

The ZA smart defense is on for all 69 programs configured for internet access. OS component control is still off.

_________________________________________________________________



ZoneAlarm Pro blocked an ICMP Destination Unreachable message

No breach in your security has occurred. Your computer is safe.
Inside the firewall alert


Alert property Alert property value Technical explanation
Source IP Address 192.168.1.1 The IP address of the computer that sent the packet which caused the alert.
Destination IP xxx.xxx.xxx.xxx The IP address of the computer to which the packet was sent.
Transport Layer Protocol ICMP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Protocol Specific Type 3 - Destination unreachable Some protocols, such as ICMP and IGMP, have multiple "types" associated with the protocol. Each type number for a specific protocol has standardized meaning.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Alert Date Apr-24-2007 05:12:33 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.

ZoneAlarm Pro security enforcement at time of alert


Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level Medium This ZoneAlarm Pro setting enforces application privileges and Internet Lock settings, leaving your computer visible to other computers in the Trusted Zone. It does not block file or printer shares (NetBIOS) or operating system traffic to and from the Trusted Zone.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.
port0ina

©2003-2007 Check Point Software Technologies Ltd. All rights reserved.
All rights reserved. All other trademarks are the property of their respective owners.

Privacy Policy

 

Strange... Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones? Is the Trusted Zone Security set to MEDIUM?
An did you change anything in there? Like "Block incoming ping" (ICMP)?

Fax
EDIT: and what was the destination IP? Always from your LAN? 192.168.XXX.XXX
EDIT2: Is your DNS and DHCP set by the router (i.e. DNS=DHCP=192.168.1.1)?

 

Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones?

No, Family Lan is at Internet in FW zones. Internet Zone set at High!, see technical information provided down inside the ZA text provided in the more information service

Is the Trusted Zone Security set to MEDIUM?Yes, see technical information in post


An did you change anything in there? Like "Block incoming ping" (ICMP)?

Nope, changed zip, nada nothing! Not so strange perhaps. The way I read it ZA policy blocks these. Quote:"Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone"

EDIT: and what was the destination IP? Always from your LAN? 192.168.XXX.XXX
on that block it is always from 192.1.168.1.1 to 192.1.168.1.100
EDIT2: Is your DNS and DHCP set by the router (i.e. DNS=DHCP=192.168.1.1)?

Yes, set by router

 

OK, then its normal... If you put TRUSTED, it will not happen...
If you 'restrict' your LAN, your likely to get these warnings, from time to time.

Nothing to worry about.

Fax
P.S. There is no need of masking 192.68.whatever addresses, they are internal IPs. No one outside can do anything with that information

 

Then maybe there is a lack of info/support in this area. I believe that if a user wants to create rulesets, for whatever reason, then support sould be given, certainly on a dedicated forum, simply informing a user they are not needed, is to me, not support.

I would disagree. As for example, I want to ensure that any updates for my AV are only made from that vendors update sites, why not then set rules for this, with logging. You say such is paranoid, I do not, I call this control/accountability.
Ignorance is not bliss when it comes to security.

My trust in a program/application is gained over time, I have yet to trust any program 100% simply based on what the vendor or others say. We can see such from windows itself, and the problems/concerns of outbound connections made.

 

Stem and Fax:

Could you guys verify/recheck these 2 statements for me, in learning mode so I need to understand "why" it is okay to put a family lan as "trusted" just to avoid warnings. Isn't security is the goal not avoiding warnings?

On masking the 192.168.1.0 type addresses is it technically accurate that no firm or person could use that information for anything?

 

Hi!
It is not only to avoid warning but to avoid any mulfuction in your LAN (lost packet, sharing files/printers, connection problems). If security is your primary objective then leave your LAN as untrusted but you should not be suprised if you get alerts in your firewall, may be by simply surfing the net or watching a move in youtube, using your IM software, your webcam, P2P, etc....

If you put, your LAN as untrusted, is good norm to add your router IP as Trusted to avoid communication problems between your router and your system. And if you are sharing resources in your LAN you will need to add those IPs to your trusted zone.

192.168.1.0 is reserved address, internal only. I can't ping you, its like pinging 127.0.0.0 (my/your/any computer). In my case I can tell you that my address is 192.168.2.2 and my router address is 192.168.2.1. You may guess the brand of my router but nothing else because my real IP (the real address and not the translated one) is different. Actually even if I give you my real IP address you cannot do much. Its like you know my home address but you don't have the keys to enter into my house

It is perfectly safe (99% of the cases) to add your LAN as trusted granted that you trust the other elements in your LAN and that the other systems are equally protected as your system.

It is more important to: change the default password of the router, keep the router firmware updated and if you use wireless, to encrypt the connection using WPA/WPA2 with a strong random password (more than 30 characters).

Hope this helps.
Fax

 

Many will say to place your LAN as trusted, simply as this can cause less popups/warnings/ support issues. For me, adding a router is part of my layer of inbound protection, to me, if you simple place this as trusted, then that layer is removed.
I will say, that such as ICMP over an home LAN should be allowed, as without this, problems can/do arrise.
It really comes down to setup/need, example: if in an home LAN, and you use DHCP, then this needs to be taken into account, and yes, it is easier to say trust the DHCP server(router) than create rules. But is this for the better?

 

Hi Stem,
if I have understood well, you are not even recommending adding your router IP to the trusted zone... well, if this is the case... it will create some headache to Escaleder when confronted with errors and connection problems...

But I would be curious to see your approach.. such as manual allocation of IPs (turn-off DHCP), set windows PC to managed this...

Well, at least its a way to learn how to deal with networks
But to the benefit of Escalader you should then give him concrete directions, otherwise he will be lost.

EDIT: But most of all, will this increase his protection?
Yes, but not proportional to potential difficulties he will encounter with programs/connection missbehaving (including the same ZA)

Fax

 

Hello fax,

As mentioned, it depends on setup/needs, as with "Escalader", the PC is a fixed IP, so no DHCP needed, which is one of the main problems. ARP is allowed, then this again is not a problem.

My spare time is limited these days, but I will certainly use what I have to help anyone here on the forum.

 

Yep, OK... thanks for clarifying.
Fax

 

Thanks, guys your exchange was interesting.

Based on the concept that my router is part of a "layered defense" my words I see it it the same way a critical piece of the set up.

So for now, I will set the ZA FW to internet back from trusted.

Then as messages alters get logged I'll ask how to deal with those that can be accepted since the router and AlphaShield exist. My main concern is outgoing.

Bear with me on all this.

 

As long as you want/need, certainly from me.

Let us look at a certain point, DHCP
OK, this can be probmatic, as a need to connect to the DHCP servers (with reply allowed) is needed. Without such, internet connection will not be available. Now with such firewalls that have UDP SPI (state table) then only a need to allow the outbound bootdhcp(broadcast) is needed for this, the reply being allowed via the udp SPI(table). So, no actual allow inbound is required for this, so no need to "trust" the the DHCP server, as with most setups, svchost(XP) is allowed outbound due to this (and/or DNS,.. depending on setup) so the outbound is allowed. ZA does have UDP SPI(table), so there should be no problem.
I do still need to make checks on ZA during boot, I know ZA attempts outbound during boot, so I would presume DHCP as already taken place at that point, but will verify.



I do intend to give you direct answers to you original questions, but I am currently going with the digression, which is still on topic, but does need clarification (such as trusted zone/ use of)

 

We will give support if user certainly wishes to continue to use expert rules. However sometimes people create rules like allow Firefox to access all internet websites and that really does not differ from the basic program control. Same when people use expert rules to stop it from accessing IPs other than local IPs which could have been easily done again using ZA's program control. Obviously in these cases we tell people what they want can be easily satisfied just using ZA's program control.

Sure you can but accountability does not mean added security. I can hold my home security alarm accountable for protecting my home but if I am going to leave my doors and windows open, my home will still be robbed in a matter of seconds. The alarm will record that intruders were present(accountable) but security was never there to begin with. I could not install a home security alarm but if I lock my doors and shut my windows tight, my home is still safe (security).

I guess thats your way of trusting things. For me, its nothing on the computer unless the application is known to be a trusted program. So my trust in a program has to have its trust build up by other people (maybe people like you) before I even it even goes on my PC. You could be like Steve Gibson: no AV etc. but is still very safe since he locks his computer down.

 

Stem:

Thanks Stem. I know you are busy and I only hope others will benifit from the thread as well!

This is an outgoing block ZA made on my behalf. It seems to be a directed toward my own ISP.

Question: Do I need to alter any basic settings?


ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1316 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-25-2007 03:57:48 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level Medium This ZoneAlarm Pro setting enforces application privileges and Internet Lock settings, leaving your computer visible to other computers in the Trusted Zone. It does not block file or printer shares (NetBIOS) or operating system traffic to and from the Trusted Zone.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.




ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Details




This alert was caused by an attempt to contact a DNS server. Domain Name Service (DNS) is a service provided by your ISP which allows you and the applications on your machine to refer to locations on the Internet by easy-to-remember names instead of by numeric IP addresses.

For example, cnn.com has an IP address of 207.25.71.30. When your application wants to connect to cnn.com, it first connects to port 53 on a DNS server and asks the server what the IP address is for cnn.com. It then proceeds to connect to 207.25.71.30.

Attempting to contact a DNS server is usually nothing to worry about. It is not a hostile action. However, it does indicate that an application on your machine was trying to reach an address on the Internet, or possibly, on your Local Area Network.

The alert usually means that, when you started ZoneAlarm Pro, an Internet application was already running on your machine. What happened is that your application made its original Internet connection before ZoneAlarm Pro was up. The original connection was not registered. For this reason, ZoneAlarm Pro cannot determine whether the most recent communication the application tried to establish should be permitted. Therefore, because your security was set to High, ZoneAlarm Pro has blocked the communication and you received an alert.

In the following paragraphs, we provide a list of reasons why the application may have already been running on your machine before ZoneAlarm Pro started:

An Internet connection may have already been established on your machine when you installed ZoneAlarm Pro. This could have caused the alert if you did not reboot after installation.
You may have started ZoneAlarm Pro manually with an already live connection to the Internet.
Your system may be configured to launch an Internet application when Windows boots up. If that is the case, the application might be establishing an Internet connection before the TrueVector Service finishes loading. This problem should not occur if you did not change the default configuration which causes ZoneAlarm Pro to load at Windows startup. This is an extremely rare problem because ZoneAlarm Pro is designed to avoid this situation.
Another possibility is that a Trojan horse that has been installed on your machine is launching when Windows starts up, then immediately establishing an Internet connection. For your protection, ZoneAlarm Pro immediately blocks any communication a Trojan tries to establish. Leaving ZoneAlarm Pro configured to load at Windows startup is your best protection against Trojans trying to communicate with their masters on the Internet.
If one of your applications is not functioning properly because of the blocked communication referred to by this alert, and if you just installed ZoneAlarm Pro or started ZoneAlarm Pro manually, stop your application then restart it. This will probably solve the problem. Once you restart the application, ZoneAlarm Pro will be able to detect any attempt the application makes to connect to the Internet. In response, ZoneAlarm Pro will either prompt you for permission or enforce the permission settings you have already set on the Programs panel.

To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first.

 

Comparison, why not. Even with doors/windows shut, alarms need to be in place. This is needed, nothing is 100% Windows/doors can be broken.
If a firewall, whichever, was 100%, I would install and tell all to use. Can you tell me of such a firewall, with honesty, from my checking, I still do not know one (any).

I cannot argue with you personal view, if you trust all the programs you install. But may I ask, how do you know/trust a program? Example: A new program online "whatever",.. how would you look at such? Do you install new programs?