5.2. Connection Alert (unknown traffic detection)

The Connection Alert dialog (asks user whether the connection will be permitted or denied) informs users when Kerio Personal Firewall detects an unknown traffic. In this dialog, the user/administrator decides whether the traffic will be permitted or denied and if a corresponding rule is to be created.

Note: The way how Kerio Personal Firewall will behave when a network connection is detected are defined by parameters in the Network Security section (see chapters 7.2. Rules for Applications and 7.3. Network Security Predefined Rules). The Connection Alert dialog is opened if no corresponding rule is found or the rule asks user explicitly.

Warning: If the Kerio Personal Firewall configuration is password-protected (refer to chapter 6.3. Preferences), connection can be allowed for a particular dialog, however, rule cannot be created for the connection (unless the password is specified).

Connection alert (unknown traffic detection)

Figure 5.1. Connection alert (unknown traffic detection)

The Alert dialog provides the following information and options:

Traffic direction and zone

The colored stripe informs users of traffic direction (incoming or outgoing) and the location which a remote point belongs to (trusted IP addresses or the Internet).

Connection alert — Traffic direction and zone

Figure 5.2. Connection alert — Traffic direction and zone

The color of the stripe and the first part of the text represent the direction of the connection:

  • Outgoing connection alert — outgoing connection (connection from a local to a remote point).

    Outgoing connections are represented by a green stripe.

  • Incoming connection alert — incoming connection (connection from a remote to a local point).

    Incoming connection is represented by a red stripe.

The location where the IP address of a particular remote point belongs to is displayed in parenthesis:

  • Trusted area — group of trusted IP addresses (for details see chapter 7.4. Trusted Area)

  • Internet — any IP address which is not included in the Trusted area

Local application and Remote point

Basic information on an connection can be found below the colored stripe:

Connection alert — Local application and remote point

Figure 5.3. Connection alert — Local application and remote point

  • application icon and its description used by the local computer. If a description is not available, the name of a corresponding executable file is displayed. If an application has no icon, a default system icon for executables will be used.

  • remote point DNS name and its IP address (in brackets).

    Note: DNS names are identified through DNS queries. If a corresponding DNS name is found, it substitutes the IP address. Translation of IP addresses to DNS names can be enabled/disabled globally, for example in the Overview / Connections context dialog (see chapter 15.1. Connections and Open Ports Overview)

  • remote point (in case of standard services, the name of the service is displayed in addition to the port number)

Place the mouse pointer over the application name (description) to view a tooltip informing on a full path to the application's executable file.

Connection alert — Full path to the application

Figure 5.4. Connection alert — Full path to the application

Actions

The three following actions can be taken within the dialog:

Connection alert — Actions

Figure 5.5. Connection alert — Actions

  • Use the Permit button to allow the connection.

  • Use the Deny button to block the traffic.

  • Check the Create a rule for this communication and don't ask me again option to create a rule for the particular communication. The system will remember the action that will be taken with this connection and create a corresponding rule. Later when identical connection is detected, Kerio Personal Firewall will automatically take an action meeting this rule (Permit or Deny).

    Note: Created rules can be edited or removed using the Kerio Personal Firewall Administration dialog in the Applications tab of the Network Security section. For details refer to chapter 7.2. Rules for Applications.

  • Use the Details button to view detailed information on the connection and on a corresponding local application. Click on this button again to hide this information.

Click on the Details button to view the following information:

Detailed information on the connection and local application

In the description box there are details about the connection (direction, protocol, local/remote endpoint address and port number) and communicating application (name of executable file including the full file path, description of the application, date of file creation, the date of last change and the date which the file was last opened)

Connection alert — Detailed information on the connection and local application

Figure 5.6. Connection alert — Detailed information on the connection and local application

Create an advanced rule
Connection alert — Create an advanced rule

Figure 5.7. Connection alert — Create an advanced rule

Check the Create an advanced filter rule option to create (instead of a standard application rule —see chapter 7.2. Rules for Applications) an additional advanced rule which can be used to set details such as parameters for communication (IP addresses, ports, etc.), a local application, time validity, etc.

Click on the Advanced filter rule... button to open a dialog for an advanced definition of a packet filter rule. In this dialog a selected rule can be easily customized. Advanced rules can be edited or removed anytime using the Packet Filter button in the Kerio Personal Firewall Administration dialog in the Applications tab of the Network Security section.

Detailed information on advanced traffic rules are provided in chapter 8. Advanced Packet Filter.

Note: The specific traffic in question is paused while the Connection Alert dialog is opened (the data is queued by Kerio Personal Firewall in its memory buffer). If the user reacts too slow, the application might consider this status as a network error (server not available) after a certain period (typically a few seconds).