||November 2, 2005
||September 21, 2006
Whenever a program is newly installed (or upgraded), new firewall
rules must be created, in order for that program to be allowed to access
the Internet. Explicit instructions are given here for
Kerio Personal Firewall 2.1.5 (KPF). Intended for
trained admins only.
PROCEDURE: Create New Firewall Rules
- Switch to "prompting" mode:
- At the system tray (bottom right of screen), right-click
on the blue shield.
- Select Administration.
- Enter the password as prompted.
- Drag the slider to the middle setting:
Ask Me First
- Click Apply. (do not click OK, leave the KPF panel open as a
- Create new rule(s):
- Perform the process in your program which will trigger
- Confirm the source and nature of the prompts are as
- Check the box: Create appropriate filter rules and don't
ask me again
- Click Permit.
- Repeat this process as necessary, until all parts of the
program are working. You might need to restart the program each
- Return to "normal" mode:
- From previously opened Kerio Personal Firewall panel:
- Drag the slider to the top setting:
- Click OK. (confirm blue shield in system tray)
NOTICE: Make sure you have proper
authorization to perform this procedure. Unauthorized tampering of
security settings (even only momentarily) is a serious violation of IT
policies of your firm!
If you're the DIFA, you already received the proper training and
briefing on this and have standing authority. Individual staff members
might be granted specific conditional authority on a per-incident
basis by IT personnel, just before they're instructed to contact
software vendors directly.
The procedure listed above is a simplified version. For maximum
security, rules must be customized.
Exceptions: If any of the
following conditions apply, it is unacceptable to disable the
host-based firewall (Kerio) under any circumstances (even
- You're in a small office with no firewall/gateway router, and
your station is directly
connected to the Internet.
- Your system currently has known/suspected infection or
- Your system has been declared "conditionally
safe to use," pending further investigation and thorough
clean-up. Often, during incident response, a "scoop and scoot"
first-aid is performed on the station during business rush hours.
The system is mostly stabilized, with major attacks averted and
contained, but not completely eradicated. Any momentary disabling of
safeguard could have serious consequences.
- The host in question is a server, or designated mission-critical
key workstation; in which case testing/installation must be
administered by IT. Explicit waiver may be granted by IT to a
specific staff, or by management in an emergency.