How to set optimum settings in ZA Pro?

Hi Stem,

I think you misunderstood 12fw (and correct me if I am wrong), but the question was: why the router is not trusted (NOT the Lan)? What would be the security risk of adding the router (ONLY the router) to the trusted zone?

Or I am missing something in the explanation you gave to 12fw.

EDIT: ooops I see that 12fw has already posted the same question.... sorry.

Fax

 

Fax

Not a problem since we are all very civilized users.

Stem

I just set the router or more correctly the LAN to internet. I did the same for the DNS servers. These are now Internet and not Trusted. Then I rebooted. Other than some blocked inbound from the DNS, I cannot see where there is any problems. I should add that under the Advanced button of the Firewall, I do have the router listed under "this computer is a client of an ICS/NAT gateway using the ZAPro" and the router address is clearly seen in the little windows. Does this make any difference or reduce the security?

12fw

 

Most packets on the LAN would be directed at windows services (svchost(XP)) which as server rights in the trusted zone, so that unsolicited inbound would be allowed.

From the popup given by ZA when a network is found:- Trusted Zone: "Use only if you need to share files or printers with others on this network"

 

From my understanding of this, these settings are for ICS, and if the gateway is running ZA, then this option is checked.

 

Stem

But the LAN is now Internet not trusted, so would not that count, since the only Trusted is the localhost? There is no other Trusted and anything from the LAN should be internet.

I do not think it means the gateway is running the ZAPro, but the PC is a client using the ZAPro that has a gateway using the router IP. The router address is clearly seen and no other. Plus I have all ICS disabled.

12fw

 

12fw,
If we look at one of the options for this:-
Forward alerts from gateway to this computer
This to me would indicate the setup of comms between the gateway and the client. So for this to happen, then both the gateway and client would need to be running ZA?

 

I also see the options "This computer is an ICS/NAT gateway" and " This computer is not on an ICS/NAT network". But if I use the second mentioned, does not defeat the NAT from the router?

The LAN and the router are defined as Internet and so are the DNS. There is no ICS enabled in the PC or any kind of remote assistance. The file and printer sharing is unchecked in the network properties.

Stem quoted

"From my understanding of this, these settings are for ICS, and if the gateway is running ZA, then this option is checked."

Why would the PC care if the gateway was using the ZA? I think my explaination is correct.

12fw

 

Stem

"Forward alerts from gateway to this computer"

Yes all nice and good, but that option is not choosen.

12fw

 

When the option "This computer is a client of an ICS/NAT gateway running Zonealarm pro" is enabled, UDP packets are sent from local port 17986 to gateway IP port 17987. This looks like attempted comms specific to/from ZA. I would need to install ZA on gateway and client to confirm.

edit,
On checking, when this option is enabled ZA pro is listening for inbound UDP on local ports 17985/17987

So from this, ZA pro would need to be on gateway/client for these comms to function correctly

 

I tried to change the actual IP and subnet of the router/LAN to just the single IP, but it will not change. So the change to Internet still is applied. But I did add the actual router IP as Trusted and with no subnet or range. Just the router IP itself. Does this threaten security? Should this be removed?

I have the Internet Security slider set at Hgh. Should the Trusted Security slider be set at High?

The only thing in the logs is the dropped UDP from the DNS server.

12fw

 

Stem:

It's not possible for me to follow all this cross talk since interpretations vary.

This AM on bootup ZA wouldn't let me logon to the internet until I set the Lan etc to trusted! See attached jpg

Another thing was my log all events option was turned off! On bootup

As you know, ZA auto updates are ALL turned off, so why did Updclient.exe which is ZA try to use my blocked no apple connects to connect out? Maybe someone will help you by checking this out. I'm not trying to restart the spy story again. So there must be a legit explanation. I don't care since it was blocked.

Stem what did your own tests while you were working show?.

As you know I'm only acting on your steps and ideas. I didn't want to go trusted but otherwise I wouldn't be able to post here

I will now reset the Lan to internet and leave the actual ip's as trusted just to see what happens while waiting for you.

PS Are we all having fun yet? think of it we are only on the second tab of FW settings!

 

Here is the latest news

I set the advanced to "This computer is not on a ICS/NAT network"

I removed the router IP and just left the original ZA calculated router/LAN as Internet.

I set both Internet and Trusted Security sliders at High.

The Program Control slider is at High.

The alert events are set at High.

The whole thing is working fine and internet is very smooth and the only logs are the blocked UDP from the DNS.

What am I doing wrong?

12fw

 

Not having the connection unless you have the LAN set to trusted is a weird problem...
Did you follow the suggestion from Stem? i.e. Removing that 255.255.... and set back "allow braodcast/multicast"...

Are bitdefender and SS disabled? They may interfere in all of this... or at least doing some active monitoring and/or port activity.


Fax

 

I have the set the advanced to "This computer is not on a ICS/NAT network". And have done many netstats -ano I can not see any port monitored by the ZA fw. There is no green dot under the Active column for network activity by any ZA component. So I am assuming the ZA is now not monitoring any special ports of it's own and just what is happening with the PC?

12fw

 

Escalader

I have no trouble getting internet and it is fast as before. I really have no idea why there are alerts and issues on your PC. Mine is super tight now and is just fine. Let's wait for Stem and his suggestions.

12fw

 

Stem, Fax and Escalader

I have the "allow braodcast/multicast" checked in the ZA. Does that make any difference? Is this a security risk?

12fw

 

I think the 2 rules~ Allow outgoing DNS/ Allow outgoing DHCP are for use on an ICS gateway (to allow server for DNS/DHCP to the clients). I will need to change my setup to confirm.

 

If you where connected directly to the internet, possibly, as from enabling this, broadcasts by netbios etc are allowed. With this option disabled, it certainly does not block the inbound DHCP broadcasts.

 

The only way I have been able to cause bootup problems (for DHCP) is to block ARP. Was your router already booted/on before you booted the PC?

Even if I block the replies for DHCP when the PC with ZA boots, when I then start the DHCP server, the broadcast by the server is allowed through by ZA, and the IP resolved.

 

It is not reasonable to disabling BD and or SS during this work. Stem has made no such suggestion.

 

Right, that is exactly what I will do. Thanks, yours is a voice of reason

 

What now, I have no next step for me to do for you to narrow this down?

 

Sorry 12fw, I have no idea yet on this. Best to remain silent unless you do know is my policy. Wait for Stem and we can learn together!

 

OKay, maybe I asked the wrong question in attempting to solve this with you?

If it's a bad idea just say so Stem!

 

Well, per book (ZA manual) it only allows DHCP brodcast and not NETBIOS (for sure not for the internet zone).
I guess that if your system need to re-new the IP it may have troubles in getting one due to the broadcast been blocked (from system to router)

Fax