Sunbelt Kerio Personal Firewall User Guide

Use of this software is subject to the End User License Agreement found in this User Guide (the License
Agreement). By installing the software, you agree to accept the terms of the License Agreement. Copyright (c)
2006 Sunbelt Software. All rights reserved. All products mentioned are trademarks or registered trademarks of
their respective companies. Information in this document is subject to change without notice. No part of this
publication may be reproduced, photocopied, stored in a retrieval system, transmitted, or translated into any
language without the prior written permission of Sunbelt Software, Inc.
Sunbelt Kerio Personal Firewall User Guide
Contents
Introduction .......................................................................................... 1-1

Before You Start .............................................................................................................1-2
Overview .........................................................................................................................1-2
Components ...................................................................................................................1-2
Functions and Features ..................................................................................................1-4
System Requirements ....................................................................................................1-4
Conflicting Software ........................................................................................................1-5
Styles and References ...................................................................................................1-5
Installation ............................................................................................ 2-1
Before You Install ...........................................................................................................2-2
Installation ......................................................................................................................2-2
Initial Settings .................................................................................................................2-8
Upgrading to a New Version ...........................................................................................2-8
Uninstalling the Personal Firewall ...................................................................................2-9
Updating the current version ........................................................................................2-11
Purchasing and Product Registration ................................................ 3-1
Free Version vs. Full Version .........................................................................................3-2
Purchasing Sunbelt Kerio Personal Firewall ...................................................................3-2
Product Registration .......................................................................................................3-6
Firewall Components and Basic Control Features ........................... 4-1
Components ...................................................................................................................4-2
System Tray Icons ..........................................................................................................4-3
Firewall Behavior and Interaction with Users .................................... 5-1
Firewall Behavior ............................................................................................................5-2
Connection Alert .............................................................................................................5-3
Application Alert ..............................................................................................................5-6
Host Intrusion Alerts .......................................................................................................5-8
Alerts For Connections with Rules ................................................................................5-10
Basic Firewall Configuration ............................................................... 6-1
The Interface ..................................................................................................................6-2
Working with Network Connections ................................................................................6-5
Working with Statistics ....................................................................................................6-7
Setting Firewall Preferences ...........................................................................................6-9
Network Security .................................................................................. 7-1
What is Network Security? .............................................................................................7-2
Rules ..............................................................................................................................7-2
How are Rules Applied? .................................................................................................7-2
Application Rules ............................................................................................................7-3
Packet Filter Rules .........................................................................................................7-7
Predefined Rules ..........................................................................................................7-20
Trusted Area .................................................................................................................7-22
Advanced settings ........................................................................................................7-23
Boot time protection ......................................................................................................7-24
Detecting New Network Interfaces ...............................................................................7-25
Checking Dialed Telephone Numbers ..........................................................................7-26
Internal Firewall Rules ......................................................................... 8-1
Internal Network Traffic Rules ........................................................................................8-2
System Security Rules ...................................................................................................8-4
i
AVG Component Rules ..................................................................................................8-6

Intrusion Detection ............................................................................... 9-1
Intrusions ........................................................................................................................9-2
Network Intrusion Prevention System (NIPS) .................................................................9-3
Host Intrusion and Prevention System (HIPS) ................................................................9-5
Application Behavior Blocking ........................................................................................9-9
Web Content Filtering ........................................................................ 10-1
Ad Blocking, Privacy and Site Exception Parameters ..................................................10-2
Site Exceptions .............................................................................................................10-5
Logs & Alerts ...................................................................................... 11-1
Viewing Logs and Alerts ...............................................................................................11-2
Context Menu ...............................................................................................................11-3
Log Options ..................................................................................................................11-4
Network Log .................................................................................................................11-5
NIPS Log ......................................................................................................................11-6
HIPS Log ......................................................................................................................11-7
Behavior Log ................................................................................................................11-8
Web Log .......................................................................................................................11-9
Debug, Error, Warning Logs .......................................................................................11-10
Open-source libraries ........................................................................ 12-1
Glossary .............................................................................................. 13-1
ii
Introduction
Welcome to the Sunbelt Kerio Personal Firewall User Guide. This guide provides in-depth
information and procedures that will not only help you to better understand Sunbelt Kerio Personal
Firewall, but also walk you through the steps needed to protect your computer or computer
network.
Section Page
Overview 1-2
Components 1-2
Functions and Features 1-4
System Requirements 1-4
Conflicting Software 1-5
Styles and References 1-5
1-1
Before You Anyone, from novices to more advanced computer users, can use Sunbelt Kerio Personal Firewall
(SKPF). Novice computer users who do not have in-depth computer or networking knowledge,
Start should install SKPF in Simple mode. Advanced computer users can inistall SKPF in Advanced
mode. To learn more about Simple vs. Advanced mode, set Initial Settings, page 2-8.
Overview The Sunbelt Kerio Personal Firewall controls how computers share information through the
Internet or a local network. It also protects computers from attacks from other computers. The
Personal Firewall is especially useful for laptop computers since they are easier to compromise
because of built-in wireless access.
What is a Firewall?
Basically, a firewall is a program that protects one computer from other computers. It examines
information that tries to enter a computer from the outside (i.e. the internet), and determines if the
information is safe or harmful.
Our Solution
Potential intruders use various techniques to determine if a computer is vulnerable to attacks.
These techniques vary from a simply scanning the computer to far more sophisticated methods
such as hacking. Sunbelt Kerio Personal Firewall uses a built-in intrusion prevention system that
identifies and blocks both known and unknown attacks so you can breathe easy while surfing the
web. It really is an essential element of Internet security.
Glossary
This guide uses many technical terms. If specific terms or concepts are not clear, refer the
glossary on page 13-1, for more detailed explanations.
Online Help
In addition to the user guide, we provide extensive online help from within the Sunbelt Kerio
Personal Firewall application. Simply press F1 or the Help button at the bottom of any window
inside the configuration window to open the online help.
Components Sunbelt Kerio Personal Firewall uses several components to protect your computer.
Network Security
Network Security controls all network communication. Network Security allows you to apply two
types of rules:
• Application – permit or deny network application communication.
• Packet filter – permit or deny parts of messages.
The Personal Firewall includes set of predefined network security rules (i.e. for DNS, DHCP, etc.).
These rules are separate from user-defined rules and can be enabled or disabled at any time.
Whenever the Personal Firewall detects traffic that does not match the criteria for a rule, a dialog
box opens asking the user to permit or deny the communication. An application or packet filter rule
can also be created at that time.
Behavior Blocking
The Behavior Blocking module controls applications that are running. It controls the following types
of events:
• Running applications
• Replacing an application executable file
• Applications being run by other applications
1-2
In case of network traffic, you can define rules for individual applications. These rules permit or
deny certain types of communications. Again, if a communication or event does not match the
criteria for a rule, a dialog box opens and asks the user to permit or deny the communication.
Note: Sunbelt Kerio Personal Firewall 4 controls all running applications,

regardless of whether they participate in network communication or not. When a
computer is infected, the firewall is more reliable than antivirus software. This is
especially true if the virus is new and is not included in a particular virus database.
Sunbelt Kerio Personal Firewall detects the attempt to replace the executable file
and warns user.
Network Intrusion Detection and Prevention (NIPS)

The Network Intrusion detection and Prevention System (NIPS) can identify, block and log known
intrusion types. Sunbelt Kerio Personal Firewall uses a database of known intrusions that is
updated regularly (The updated database is included with new versions of the firewall).
Host intrusion detection and prevention (HIPS)
The Host Intrusion and Prevention System (HIPS) detects attempts to misuse applications that are
running and attempt to execute malicious code.
Web content filtering
Web content filtering enables the following features:
• blocks ads (according to URI/URL rules), scripts and other Web items
• blocks pop-up windows
• blocks scripts (JavaScript, VBScript)
• protects user computers from undesirable cookies and stops private information from being
accessed through Web application forms.
You can define more specific settings for trusted servers and for cases when filtering might cause
errors.
Boot time protection
Boot time protection protects computers even when the firewall is not running (i.e. during a system
reboot or when installing of a new version of the firewall).
1-3
Functions Sunbelt Kerio Personal Firewall provides the following functions and features:
and Features Stop all traffic – stops all traffic on the computer. This function can be helpful especially when
undesirable or strange network activity is detected. Traffic can be restored after the appropriate
security actions are taken.
Logging – Each firewall module creates an independent log that is stored in a text file. Logs can
be viewed in a configuration dialog. Logs can also be stored on a Syslog server.
Connections overview and statistics – The overview provides information about established
connections and ports opened by individual applications. Information on the current speed and
size of transmitted data in both directions is also provided for active connections. The overview is
automatically refreshed in predefined time intervals. Statistics show users the number of objects
blocked by the Web content filter and the number of detected intrusions during specific time
periods.
Automatic update – Regular checks are made for newer versions of the firewall. Whenever a new
version is detected, users have the option of downloading and installing it. It is also possible to
check for new versions manually.
Warning: Sunbelt Kerio Personal Firewall 4 cannot be used on Windows NT

Server, Windows 2000 Server and Windows Server 2003.
System The following hardware and software is required to install Sunbelt Kerio Personal Firewall:
Requirements • Windows 2000 Professional, XP Home, XP Professional, and XP Media Center Edition
operating systems
• CPU Intel Pentium or 100% compatible
• 64 MB RAM
• 10 MB of free disc space
• minimal screen resolution 800x600 pixels
Note: Sunbelt Kerio Personal Firewall 4 does not run on Windows NT, Windows
2000 Server, Windows 2003 Server , 95, 98, ME, and 64 bit Versions of Windows.
1-4
Conflicting Sunbelt Kerio Personal Firewall might conflict with applications that are based on identical or
similar technologies. Sunbelt Software does not guarantee the Sunbelt Kerio Personal Firewall or
Software your operating system will function correctly if the following types software applications are
installed on the same operating system:
• Personal firewalls – Personal firewalls (i.e. Internet Connection Firewall — a Windows XP
component, Zone Alarm, Sygate Personal Firewall, Norton Personal Firewall, etc.) provide
similar functions to Sunbelt Kerio Personal Firewall.
• Network firewalls – Network firewalls (i.e. Kerio WinRoute Firewall, Kerio WinRoute Pro,
Kerio WinRoute Lite, Microsoft ISA Server, CheckPoint Firewall-1, WinProxy by Ositis, Sygate
Office Network, Sygate Home Network, etc.) also protect computers. It is not necessary to use
a personal firewall on a computer protected by a network firewall.
Note: Sunbelt Kerio Personal Firewall can be combined with a router or a

proxy server to create an basic network firewall. For more information on
routers and proxy servers, go to the Glossary on page 13-1.
As general rule, do not combine Sunbelt Kerio Personal Firewall with other firewalls.
Styles and This guide uses the following styles and graphical references:
References
Style / Graphic Used to:
ALL CAPS indicate a keyboard button (Press ENTER).
BOLD indicate a specific field, prompt, dialog, or Window (Type an IP address in the
Address field).
BOLD ITALIC indicate the action of clicking action buttons, Keys, links, menu bar items and
menu selections (OK, Close, etc.).
Italic emphasize program titles, window and web page names, key words, and “see”
references. (Open the Administrator Resource web page).
Word>Strings indicate a series of menu selections (Click View on the main menu bar; then,
select Policy>Default).
caution users about a specific action.
warn users of the consequences related to specific actions or about specific

information they need to know before moving forward.
alert users to a notation or tip relevant to the current topic.
1-5
Installation
Now that Sunbelt Kerio Personal Firewall has been properly introduced, it is time to install it. This
chapter covers the following topics:.
Section Page
Before You Install 2-2
Installation 2-2
Initial Settings 2-8
Upgrading to a New Version 2-8
Uninstalling the Personal Firewall 2-9
Updating the Current Version 2-11
2-1
Before You We have a few suggestions on how you can prepare your computer before installing the personal
firewall:
Install
• Uninstall other firewall programs and restart the computer. Removing other personal firewall
programs is required before using Sunbelt Kerio Personal Firewall. To uninstall other firewall
programs, see the user documentation for those programs.
• Close all other Windows programs, including programs displayed in the Windows system tray.
Note: If you have an older version of the personal firewall, remove it before
installing the new version.
Installation Sunbelt Kerio Personal Firewall comes with a quick and easy-to-use InstallShield Wizard.
To install Sunbelt Kerio Personal Firewall
1 Make a selection:
If... ...then...
Sunbelt Kerio Personal Firewall is being insert the CD in the disk drive. The
installed from a CD, installation should start automatically. If not,
open Windows Explorer, navigate to the
CD drive; then, double-click the setup.exe
icon.
Sunbelt Kerio Personal Firewall is being double-click the icon to open the wizard.
installed from a download, open
Windows Explorer, navigate to location
where the setup.exe is saved,
Figure 2-1 Installation Wizard: Welcome
2-2
2 Click Next. The What’s New window opens. Scroll through the list to read about the changes
between the last versions and the current one.
Figure 2-2 Installation Wizard: What’s New
3 Click Next. The License Agreement window opens.
Figure 2-3 Installation Wizard: License Agreement
2-3
4 Make a selection:
To... ...select...
accept the license agreement, I accept the terms in the license

agreement; then, click Next. The
Destination Folder window opens. Go to
step 5.
decline the license agreement, I do not accept the terms in the license
agreement; then, click Cancel. The wizard
closes.
Figure 2-4 Installation Wizard: Installation Folder
5 Make a selection:
To... ...click...
accept the default folder (recommended), Next. The Initial firewall setting window
opens.
select a new folder in which to install the Change. The Change Folder window
personal firewall, opens. Select a new folder, click OK; then,
click Next. The Initial firewall setting
window opens.
Note: We recommend that you keep the
default selection.
2-4
Figure 2-5 Installation Wizard: Initial Firewall Settings
6 Make a selection regarding the initial settings for the firewall:
To... ...select...
set the initial firewall settings to a basic Simple. Apply this setting if you have basic
mode where you are not required to computer skills and/or are not familiar with
supply detailed technical information, technical concepts relating to networks and
applications. See page 2-8 for more
information.
set the initial firewall settings to advanced Advanced. This setting is for more
mode, advanced computer users who are familiar
concepts like network traffic and blocking/
allowing applications. See page 2-8 for more
information.
Note: It is possible to switch to advanced mode later when you feel more
comfortable with the program and/or gain more advanced knowledge of
computer networking concepts.
7 Next. The Ready to Install the Program window opens.
2-5
Figure 2-6 Installation Wizard: Ready to Install the Program
8 Click Install to install the personal firewall on your computer. The Installshield Wizard
Completed window opens after the installation is finished.
Figure 2-7 Installation Wizard: Installshield Wizard Complete
2-6
9 Click Finish. A dialog box opens.
Figure 2-8 Installation Wizard: Restart Your Computer.
10 Make a selection:
To... ...click...
restart the computer and finalize the Yes. Make sure work from any open
installation, applications is saved first; then, close all
open windows.
close the dialog box without restarting No. make sure to restart the computer later.
your computer,
Warning: If Sunbelt Kerio Personal Firewall will be used with the AVG antivirus,
AVG must be installed before the Sunbelt Kerio Personal Firewall. If Sunbelt Kerio
Personal Firewall detects the AVG antivirus when the firewall is started first time,
corresponding rules are set for the antivirus.
Caution: The following information is for advanced users and should be taken into
consideration:
• If you are using Windows XP Service Pack 2 or later, the installation program
registers Sunbelt Kerio Personal Firewall in the Windows Security Center.
During the installation, the firewall is registered as inactive.
• If the Windows firewall is running, Sunbelt Kerio Personal Firewall disables it
on startup.
2-7
Initial During the installation (see page 2-5) users are required to select the firewall settings that will be
Settings applied after the installation is complete and the computer is restarted. The following selections
are available:
• Simple — In simple mode, the firewall allows all outgoing communication (i.e. accessing the
web) and blocks any incoming communication (i.e. web sites or hackers trying to access your
computer). Network settings are automatically assigned to your computer and the system
security feature is disabled. This means that you will not receive alerts that ask detailed
questions that might require you to have more advanced computing and/or computer
networking knowledge. Simple mode is set by default and it is recommended for those less
knowledgeable about computer and computer networking.
If you have advanced knowlmedge of computers and/or computer networks, you can change
the settings to a more advanced mode after the installation is complete.
Note: The only exception to Simple mode is if you use a dial-up service (as
opposed to cable or DSL) to access the internet. You will have to confirm the
dial-up numbers you use to access the internet. Also, you are always asked to
confirm a number if a new number is dialed or if a telephone number is
changed.
• Advanced — In Advanced mode, The firewall allows you to determine the levels of
communication and system security. For example, the firewall you are alerted to take an action
and whether or not a rule should be created for the action whenever an unknown
communication is detected or an unknown application is started. You can create a specific
firewall configuration for a host and a user.
If the Advanced mode is selected, Sunbelt Kerio Personal Firewall detects the active network
interfaces. For each interface, users are asked whether or not the interface is connected to a
trustworthy network. Advanced mode is recommended for experienced users and to those
who want to apply custom settings. Advanced mode is not for beginners.
Upgrading to Upgrading to a new version of Sunbelt Kerio Personal Firewall is similar to the initial installation (as
described in pages 2-2 to 2-7). it is not necessary to stop the application since it will be stopped
a New
and closed automatically by the installation program.
Version
Note: Sunbelt Kerio Personal Firewall includes a built-in automatic update
verification system, see page 2-11.
2-8
Uninstalling Uninstall Sunbelt Kerio Personal Firewall using the Add/Remove programs option in the Control
Panel.
the Personal
Firewall To uninstall the personal firewall
1 Click Start>Control Panel. The Control Panel window opens.
Figure 2-9 Control Panel
2-9
2 Double-click Add or Remove Programs. The Add or Remove Programs window opens.
Figure 2-10 Add or remove Programs
3 Scroll down the list of programs; then, select Sunbelt Kerio Personal Firewall.
Figure 2-11 - Remove Sunbelt Kerio Personal Firewall
4 Click Remove. A dialog box opens. It asks you to confirm the decision to remove Sunbelt
Kerio Personal Firewall.
• Click Yes to uninstall the personal firewall.
• Click No to cancel the uninstall process.
Files that were created after the installation (configuration files, logs, etc.) are not removed. After
the personal firewall is uninstalled, these files can be either removed manually or kept for possible
reinstallation.
Note: If you are using Windows XP Service Pack 2 or later, the Sunbelt Kerio
Personal Firewall registration in the Windows Security Center is deleted and
the integrated Windows Firewall is enabled automatically after the uninstall.
2-10
Updating the Sunbelt Kerio Personal Firewall automatically looks for new versions each time it starts. If a
updated version is found, it can be downloaded. If the engine is not restarted; then, it will look for
current updates every 24 hours.
version
To download an updated version of the personal firewall
1 Make a selection:
To... ...click...
automatically look for program updates, Overview on the side menu, click the
Preferences tab; then, select the
Automatically check for updates box.
Sunbelt Kerio Personal Firewall will look for
updates each time your computer starts up.
If updates are found, the Update Wizard
opens.
manually check for updates, Overview on the side menu, click the
Preferences tab; then, click Check now. If
updates are found, the Update Wizard
opens.
Note: If the latest version of Sunbelt Kerio Personal Firewall is installed, a

dialog box opens stating that the latest version is installed.
2 Click Next to download the new version and run the installation program. Sunbelt Kerio
Personal Firewall always verifies the signature of a downloaded file. This feature ensures that
the downloaded file is original and not infected by a virus, damaged, etc.
Note: Stop the download or the installation process by clicking Cancel. If the
process is canceled, the update is not offered again through the automatic update
feature. However, it can be run manually.
3 Restart the computer.
2-11
Figure 2-12 Update wizard of the Sunbelt Kerio Personal Firewall
2-12
Purchasing and Product Registration
Two editions of Sunbelt Kerio Personal Firewall are available: full (paid) and free (limited). This
chapter covers the following topics:
Section Page
Free Version vs. Full Version 3-2
Purchasing Sunbelt Kerio Personal 3-2

Firewall
Product Registration 3-6
3-1
Free Version Use the same installation procedure for the Free and Full versions of Sunbelt Kerio Personal
Firewall. After a 30-day trial-period you must select one of the to use. The free version contains
vs. Full limited features, whereas all features are available with the full version.
Version
Free Version
The following limitations are applied to the Free Version:
• It is available for personal, noncommercial use only.
• Web content filtering, including its logs and statistics, is not available.
• Host Intrusion and Prevention System (HIPS) is not available.
• It cannot be used at Internet Gateways.
• Logs cannot be sent to a Syslog server.
• The configuration cannot be protected by a password and it is not possible to access and
administer the firewall remotely.
Full Version
The full version of the firewall is only available after purchasing a license number and registering
the software. All features and components of the Firewall are available after registration.
Technical Support
Only email technical support is provided for issues concerning Sunbelt Kerio Personal Firewall.
Owners of multi-licences (licences for more than one user/computer) can contact our technical
support by telephone. Go to http://www.sunbelt-software.com to find detailed contact information.
Purchasing Purchase a licensed version of Sunbelt Kerio Firewall by following a few quick steps.
Sunbelt To purchase a licensed version of Sunbelt Kerio Personal Firewall
Kerio 1 Open a web browser. If the application is open, click Overview, the License tab; then click the
Personal http://www.sunbelt-software.com/kerio.cfm link in the Homepage field. The Sunbelt Kerio
Personal Firewall page opens.
Firewall
Figure 3-1 Sunbelt Kerio Personal Firewall Web Page
3-2
2 Click . The Buy Sunbelt Kerio Personal Firewall page opens.
Figure 3-2 Product Selection Page
3 Click . The first page of the OnLineShop Secure Ordering Form opens. Make
sure a major credit card is available (American Express, Visa, or MasterCard).
Figure 3-3 OnLineShop - Step 1
3-3
4 Complete the form; then, click Continue at the bottom of the form. The second page of the
OnLineShop Secure Ordering Form opens.
Figure 3-4 OnLineShop - Step 2
5 Type the credit card information in the Credit Card Type, Credit Card Number, and Expiration
Date fields.
3-4
6 Click Process My Order. A confirmation window opens after the order is processed.
Figure 3-5 Order Confirmation Page
The confirmation page contains the key needed to register Sunbelt Kerio Personal firewall.
7 Make a selection:
If... ...click...
Sunbelt Kerio Personal Firewall is not the link under the license key on the
installed on the user’s computer, confirmation page, download; then, install
the application. Go to page 2-1, to read how
to install Sunbelt Kerio Personal Firewall.
a trial version of Sunbelt Kerio Personal Register on the License tab. Go to Product
Firewall is on the users computer (and the Registration, page 3-6.
OnLine Secure ordering form is being
accessed through the application),
3-5
Product Sunbelt Kerio Personal Firewall must be registered to enable all of the features contained within
the full version.
Registration
To register Sunbelt Kerio Personal Firewall from within the application
1 Click Overview, the License tab; then click Register. The Registration Wizard opens.
Figure 3-6 Registration wizard — License Number
2 Type the license key in the License number field; then, click Next.
3 Type the relevant contact information in the required fields; then click Next.
Figure 3-7 Registration wizard — Contact information
3-6
Figure 3-8 Registration wizard — Additional Subscriptions
4 Make a selection:
To... ...click...
add another subscription, Add; type the number in the Subscription

field in the Subscription Editor dialog box;
then click OK.
continue without adding another Next.

subscription,
5 Click Finish to close the wizard. The License tab now contains detailed information on the
current license.
Note: The Personal Firewall GUI component is automatically restarted after the
registration is complete. This enables all features that were not available in the
trial version.
Note: The Register button in the Product section is disabled after the license key
is registered.
The License section provides information about the current license number, date of the license
expiration and date of the last free update (subscription expiration date and time).
Make a selection:.
To... ...click...
register another subscription number, Add Subscription. Go to step 4.
modify contact information, Modify data. Go to step 3 on page 3-6.
3-7
Firewall Components and Basic Control Features
Sunbelt Kerio Personal Firewall uses several components and system tray features. The
Components section of this chapter is highly technical. We recommend that basic computer users
should focus more on the System Tray Icons section. This chapter covers the following topics:
Section Page
Components 4-2
System Tray Icons 4-3
4-1
Components Sunbelt Kerio Personal Firewall consists of eight key components:

• Personal Firewall Engine – this engine is the core part of the Sunbelt Kerio Personal
Firewall. It runs as a service (Windows NT 4.0 or later) or in the background (Windows 98 and
Me).
• Low-level drivers – these drivers are located at the core of an operating system during its
startup. They are located between network interface drivers and the TCP/IP subsystem.
• Network traffic low-level driver – This driver detects and processes all incoming and
outgoing IP traffic. It allows or blocks traffic in accordance with the firewall policy, and controls
running applications and system processes.
• Host intrusions low-level driver – This low-level driver detects (and blocks — depending on
settings in the user interface) Buffer overflow and Code injection intrusion types. The low-level
drivers are stored in Windows system directory:
• In Windows NT and 2000, the fwdrv.sys file is stored in C:\WINNT\system32\drivers.
• In Windows XP, the fwdrv.sys and khips.sys files are stored in C:\WIN-
DOWS\system32\drivers.
• In Windows 98 and Windows Me, the fwdrv.vxd and khips.sys files are stored in the
C:\WINDOWS\system directory.
• Personal Firewall GUI – The GUI (Graphical User Interface) starts automatically via the
Personal Firewall Engine service. GUI is represented by a shield icon on the System Tray (see
graphic below). Right-click the icon on the System Tray to open the configuration dialog or to
select another option from the menu (stopping network traffic, disabling firewall, etc.).
Figure 4-1 Sunbelt Kerio Personal Firewall icon on the Systray
The Personal Firewall GUI is represented by the kpf4gui.exe file found in the installation
directory.
• Crashdump sender – This tool sends a crashdump file (assist.exe) to Sunbelt Software when
the Firewall breaks down.
• Libraries – The components above use the following dynamic libraries (DLL):
• kfe.dll — an interface of the low-level driver. This interface enables traffic between the
driver and the Personal Firewall Engine.
• gkh.dll — a module used for hot key control. This module disables the pop-up filter tempo-
rarily.
• kwsapi.dll — the interface for the Windows Security Center (used for registration of the
Sunbelt Kerio Personal Firewall and display of its status).
• KTssleay32_0.9.7.dll, libeay32_0.9.7.dll — an OpenSSL library which provides encryption
of configuration files and of communication between the Personal Firewall GUI and the
Personal Firewall Engine.
• KTiconv.dll — aniconv library which encodes and deciphers characters e.g. during Web
content filtering, logging, etc.
• KTzlib.dll — a zlib library which is used for crashdump packing.
• Fast User Switching Support – The Personal Firewall supports Fast User Switching in
Windows XP. Multiple instances of the Firewall can be open at the same time. When this
happens, the Personal Firewall Engine communicates with the instance that belongs to the
active user. After the Personal Firewall Engine service starts, the first instance opens and runs
under the account for which the Personal Firewall Engine service is running. After the user
logs in, a new instance opens, and runs with the privileges of the user who is logged in. This
instance is active until the user logs off or you switch users.
4-2
System Tray A shield-shaped icon is displayed in the System Tray whenever the Personal Firewall is running.
This component is started automatically by the Personal Firewall Engine. The icon also shows
Icons network activity of the computer on which the firewall is installed. Network traffic is represented by
small colored bars at the bottom of the icon:
Figure 4-2 Sunbelt Kerio Personal Firewall icon on the Systray
The green bar represents outgoing traffic, the red bar incoming traffic. Right-click the icon to open
a menu providing more options.
Figure 4-3 Context menu of systray icon Sunbelt Kerio Personal Firewall
Select an option for the system tray icon menu:

Disable Firewall – Select this option to disable all firewall activities (network communication
filtering, monitoring of launched applications, intrusions detection and Web content filtering). Use
this option to disable the firewall during activities such as system tests or debugging (i.e. network
connection failures). We do not recommend disabling the firewall for long since your computer is
protected while it is disabled.
Figure 4-4 Sunbelt Kerio Personal Firewall Systray icon— Firewall disabled
When the firewall is disabled, the menu selection switches to Enable Firewall. Use it to start the
firewall.
Note: In Windows XP Service Pack 2, the current status of the Sunbelt Kerio
Personal Firewall is reported to the Windows Security Center.
Stop all traffic – Select this option to block all network traffic. In cases where network traffic that
should have been denied was permitted by mistake, use the Stop all traffic option to stop all active
connections and to prohibit its recovery. If a traffic rule has been created (using the Create a rule
for this communication option), it can be removed and the traffic can be enabled again.
Figure 4-5 Sunbelt Kerio Personal Firewall Systray icon — Stop all traffic
4-3
When the firewall is disabled, the menu selection switches to Enable traffic. Use it to allow network
traffic. Anytime the Personal Firewall Engine service is started, the Disable Firewall and Stop all
traffic options are set to their default modes. For security reasons, it is not recommended that you
leave the firewall disabled after the system starts up. Also, stopping all traffic might cause
problems during user login.
Configuration – Select this option to open the configuration dialog box.
About – Select this option to open the About Sunbelt Kerio Personal Firewall window. This
window provides general information about Sunbelt Kerio Personal Firewall and the versions of
the individual components.
Figure 4-6About window
Exit – Select this option to stop the Personal Firewall Engine service and close the Personal
Firewall (all open windows and application dialogs are closed and the icon on the Systray is
hidden). Reactivated the Firewall by selecting Start>All Programs>Sunbelt Software>Kerio
Personal Firewall 4.
4-4
Firewall Behavior and User Interaction
Before learning how to configure Sunbelt Kerio Personal Firewall, it is important to understand how
it behaves and interacts with users. This chapter covers the following topics:
Section Page
Firewall Behavior 5-2
Connection Alert 5-3
Application Alert 5-6
Host Intrusion Alerts 5-8
Alerts for Connections with Rules 5-10
5-1
Firewall Information is transmitted through the Internet using TCP/IP protocols. TCP/IP (Transmission
Control Protocol/Internet Protocol) is the basic communication language of the Internet. It can also
Behavior be used as a communications protocol in a private network (i.e. inside a company or your home).
When you are set up with direct access to the Internet, your computer is provided with a copy of
the TCP/IP protocols. Every computer to which you send or receive messages also has TCP/IP
protocols.
TCP/IP Layers
TCP/IP has two-layers. The higher layer, Transmission Control Protocol (TCP), divides a file into
smaller chunks (packets) so the file easier to send. Each packet is numbered separately and
includes the Internet address of the destination. The individual packets for a given file might travel
by different routes through the Internet, however when they all arrive at their destination, they are
reassembled into the original file (by the TCP layer at the destination). The lower layer, Internet
Protocol (IP), manages the address part of each packet so that it arrives at the correct destination.
If you are part of a computer network, each computer with access to the internet verifies the IP
address in order to determine where to forward the message.
Inspecting the Packets
Sunbelt Kerio Personal Firewall inspects each packet; then makes a decision based on the
information acquired from the packets as well as the information from previous communications. A
log is created to record the information about each approved connection. If a packet is not a threat,
it is allowed into your computer. If it is a threat, it is filtered out. The firewall blocks all packets that
have been filtered out. The process of inspecting the packets within the message is more efficient
and more secure than basic packet filtering, which allows or blocks packets based on source and
destination addresses, ports, or protocols, not necessarily their contents.
Advanced (Learning Mode)
If Advanced (learning mode) was selected during the installation, Sunbelt Kerio Personal
Firewall provides tutorial-style pop-ups to help you make better informed decisions about whether
or not to allow a connection to the internet. You are also given the option of permanently permitting
or denying a connection. If a connection is permitted or denied permanently, a corresponding rule
is automatically created, and users are no longer prompted to permit or deny that particular
connection.
Note: The same method is used to verify running applications.
The ability to modify rules gives users more control over network traffic to and from their
computers. Only packets that meet certain criteria, or those that belong to approved connections
are allowed through the firewall.
The dialog boxes that alert users about attempted connections are set to Always on Top. For
example, if there more than one attempt to establish a connection to the internet is detected, they
are put in a queue. Users must decide to allow or deny a connection in the dialog box that is on top
before moving onto the next dialog box.
5-2
Connection The Connection Alert dialog box opens when Sunbelt Kerio Personal Firewall detects unknown
internet traffic. You are prompted to allow or deny the connection to the Internet, and whether or
Alert
not to create a corresponding rule.
Note: The parameters in the Network Security section define how the Personal
Firewall behaves when a network connection is detected. The Connection Alert
dialog box opens if no corresponding rule is found.
Caution: If the Sunbelt Kerio Personal Firewall configuration is password-

protected, a connection can still be allowed, however, a rule cannot be created for
the connection (unless the password is specified).
Figure 5-1 Connection alert (unknown traffic detection)
Note: Communication is paused while the Connection Alert dialog is open.
5-3
When an Alert dialog box opens, two sections stand out: the direction of the connection (incoming
or outgoing), and the application and remote point trying to make the connection.
Traffic direction and zone
A green stripe represents an outgoing connection (from a local computer to a general point on the
internet or trusted IP address). A red stripe represents an incoming connection (from a general
point on the internet or trusted IP address to a local computer). The remote location is shown in
parentheses. Trusted area signifies group of trusted IP addresses, Internet signifies IP address
that are not included in the Trusted area
Local application and Remote point

Basic information about a connection is listed below the colored stripe:
Figure 5-2 Connection alert — Local application and remote point
• The first line shows the application used by the local computer. If a description is not available,
the name of a corresponding executable file is displayed. If an application has no icon, a
default system icon is used.
• The second line shows the remote point DNS (Domain Name System - See Glossary, page
13-1.) name and its IP address (in brackets).
Note: DNS names are identified through DNS queries. If a corresponding

DNS name is found, it substitutes the IP address.
• The remote point to which the connection is being made (in case of standard services), and
the name of the service is displayed in addition to the port number.
Place the mouse pointer over the application name to see the path to the application executable
file on your computer.
Figure 5-3 Connection alert — Full path to the application
5-4
To take action based on an alert

1 Select the Create a rule for this communication and don’t ask me again check box.
Figure 5-4 Connection alert — Actions
2 Make a selection:
To... ...click...
allow the communication, Permit. The communication is allowed and

the dialog box closes.
block the communication Deny. The communication is blocked and

the dialog box closes.
view more information about the <<Details. A Description box drops down. It
communication, provides more information about the
connection and the application making the
communication. Click this button again to
hide the information.
3 To create an advanced filter rule, select the Create an advanced filter rule check box.
Advanced filter rules are used to set more detailed parameters regarding incoming and
outgoing communications.
Figure 5-5 Connection alert — Create an advanced rule
4 To manage advanced packet filter rule definitions, click Advanced filter rule.... The Network
Security - Advanced Packet Filter window opens. Advanced rules can be added, edited, or
removed anytime by opening the Personal Firewall application; then, clicking the
Applications tab under the Network Security section.
5-5
Application The application alert dialog boxes inform users that Sunbelt Kerio Personal Firewall detected an
Alert attempt to start an application, replace an application, or to run one application from another.
Note: Use the System Security section to define how the Personal Firewall
behaves when applications are started. The Starting, Replacing, and Launching
other application dialog boxes are opened if no corresponding rule is found.
Warning: If the Personal Firewall configuration is password-protected, the action

is allowed only if a valid password is specified.
Figure 5-6Starting/Replacing/Launching other application dialog
5-6
The Application alert dialog boxes provide the following information:

Description
A brief description of a particular event and a general recommendation one the action that should
be taken.
Figure 5-7 Starting/Replacing/Launching other application dialog — Event description
Note: If the description of the application (or the file name if there is no description
available) is too long, it will be shortened to 32 characters, and three dots will be
added at the end to show that the description is incomplete.
Event Type
The orange strip contains Information on the type of event that was detected. Starting application
signifies an attempt to launch an application, Replacing application signifies an attempt to replace
an executable file for an application, and Application is launching other application signifies one
application is attempting to launch another
Icon and application name

An icon and description of the application are provided below the orange bar. If no description is
available, name of the executable file is displayed. If the application has no icon, the standard
system icon for executable files will be used.
If the application was launched by another application, information on such application will be
displayed below (Launched by).
Figure 5-8Starting/Replacing/Launching other application dialog — Icon and application name
Place the mouse pointer over the description on the application or over the description of the
application by which it is launched to view a tool tip providing full path to the executable file of the
corresponding application.
Figure 5-9Starting/Replacing/Launching other application dialog — Full path to the application
To take action based on this alert, see To take an action regarding an alert, page 5-5.
5-7
Host The Intrusion Attempt Blocked dialog box warns users that Sunbelt Kerio Personal Firewall
Intrusion detected a host intrusion attempt and blocked it.
Alerts Note: The Intrusion Attempt Blocked alert is opens when there is no
corresponding exception defined for the applications involved or if the Do not
display warnings for this type of event is disabled.
Figure 5-10 Host intrusion alert
Description
A description of the attempted intrusion is provided at the top of the dialog box, including
recommended response.
Event type
The blue strip contains information on the type of event that was detected.
Figure 5-11 Intrusion Attempt dialog — Event
5-8
The icon and application path

The paths to the target and injector applications as well as corresponding icons are listed directly
below the event name. If the application does not use an icon, the standard system icon for
executable files is used.
Figure 5-12 Code injection detected — Icons and intrusion description
In case of events that overflow the buffer, only the process where the intrusion was detected is
provided (see below).
Figure 5-13 Buffer overflow detected — Icon and intrusion description
To take action based on an intrusion alert

1 To Allow technical details to be transmitted to Sunbelt, select the Create a rule for this
communication and don’t ask me again check box.
Figure 5-14 Connection alert — Actions
2 Make a selection:
To... ...click...
close the dialog box, Close. The the dialog box closes.
view more information about the <<Details. A Description box drops down. It
communication, provides more technical details about the
intrusion. Click this button again to hide the
information.
5-9
Alerts For You can enable the Alert dialog box in rules or by running an application. This dialog box opens
when a packet that is sent or received meets the conditions of a rule. A window opens in the right
Connections bottom corner of the screen. It provides basic details about the connection. If new events that meet
with Rules the rule are detected while the dialog box is open, they are queued.
Warning: If you close the Alert dialog box, all queued alerts are removed,
regardless if they have been displayed or not.
Figure 5-15 Network Connection Alert
The sample alert graphic above, provides the following information:

• Time – date and time the connection was initiated
• Rule descr. – description (name) of a the rule
• Application – icon and name of the application used for the communication. If the application
does not have an icon, a default system icon is used. if the application does not have a name,
the name of the corresponding executable file is listed.
• Remote – IP address and port number of the remote computer. If a name can be identified
using DNS, the name is displayed instead of the IP address.
• Details – details about the connection: direction, protocol, and local port number
• Action – action that has been taken regarding the connection (Permitted or Denied)
• Sequence number – number of alerts in the queue and the order in which they arrived.
• Navigation buttons – click through the list of alerts in the queue.
5-10
Basic Firewall Configuration
Now that we have discussed how the firewall behaves, it is time to learn more about the interface
and how to configure basic parameters. This chapter covers the following topics:
Section Page
The Interface 6-2
Working with Network Connections 6-5
Working with Statistics 6-7
Setting Firewall Preferences 6-9
6-1
The Interface Use the user interface to control how Sunbelt Kerio Personal Firewall protects your computer.
There are two ways to open the user interface:
• Double-click the Sunbelt Kerio Personal Firewall icon in the System Tray
• Right-click on the icon and select Configuration from the menu.
Figure 6-1 Sunbelt Kerio Personal Firewall Configuration Dialog
Modules
The interface is divided into five modules, shown as side-tabs:
• Overview – list of active and open ports, statistic, user preferences.
• Network Security – rules for network communication of individual applications, packet
filtering, trusted area definitions.
• System Security – rules for startup of individual applications
• Intrusions – configuration of parameters which will be used for detection of known intrusion
types.
• Web — Web content rules (URL filter, pop-ups blocking, control over sent data)
• Logs & Alerts — logs viewing and settings
Note: The Register button is listed at the bottom with the Help, OK, Cancel, and
Apply buttons only if you have not registered your version of Sunbelt Kerio
Personal Firewall.
6-2
Network Traffic Graph

A black and green chart on the left side of the window shows traffic for a particular network.
Figure 6-2 Traffic load of a particular network interface
The green bar next to the chart represents current speed of outgoing traffic. The red bar shows
current speed of incoming traffic.
To work with the network traffic graph
1 Click the chart to switch between the line graph and the bar graph visual.
2 Place the mouse pointer over the chart to see statistics relating to network traffic.
• speed out (green bar) — current speed of outgoing traffic
• speed in (red bar) — current speed of incoming communication
• maximum (in+out) — the highest speed for incoming and outgoing traffic in the last 80
seconds
• minimum (in+out) — the lowest speed for incoming and outgoing traffic in the last 80
seconds
3 To block all network traffic (all connections are stopped immediately), click Stop all traffic.
This function is helpful when a communication that was supposed to be blocked was allowed
by mistake. If you stop the traffic, the text on the button changes to Enable traffic.
Figure 6-3 Stop all traffic/Enable traffic
Note: Users can also right-click the Sunbelt Kerio Personal Firewall icon
displayed in the System tray to access the Stop/Enable traffic option.
6-3
Action Buttons
Buttons at the dialog bottom provide the following functions:
• Help – opens the online help for tab under a particular section
• OK – saves all changes and closes the window
• Cancel – closes the window without saving changes
• Apply – saves and applies all changes, but leaves the window open
Note: Users can only make changes to one tab at a time. If a user clicks another
tab or section, a dialog box opens. Click Yes to apply the changes or No to
continue without saving.
Figure 6-4 Configuration Dialog – Confirm storing of changes
6-4
Working with The Connections tab lists active connections and open ports used by individual applications. It
also lists the applications that are actively involved in network communication and the applications
Network that are waiting for connections.
Connections
Figure 6-5 Connections Tab
The first line represents each application's icon and name (description) – if the application does
not have an icon, the default system icon for executable files is used; if a description is not
available, the name of the file without the extension is displayed. A port is considered open when it
meets the following criteria:
• an outgoing connection is established (green background)
• an incoming connection is established (red background)
• an application is listening for connections — server mode (transparent background
Click the [+] to expand a list of details relating to the connection. Click the [-] to hide open ports
currently used by the application.
Figure 6-6 Connections - Expand List
Connections Tab Column Headings

There are seven headings in the Connections tab:
• Local Point – Local IP address (or a corresponding DNS name) and port (or service name).
• Remote Point – IP address (or DNS name) and port number (or service name) of a particular
remote point. The same information for the local IP address and port is provided (see above).
• Protocol – Protocol used (TCP, UDP, or both)
• Speed In, Speed Out – Current speed of incoming and outgoing data of the connection in
kilobytes per second (KB/s).
• Bytes In, Bytes Out – Amount of incoming and outgoing data within the connection.
6-5
A key at the bottom of the tab shows the number of active connections and open ports.
Figure 6-7 Connections - Incoming, Outgoing, Open Ports
To manage options for connections

1 Click Overview; then click the Connections tab.
2 Right-click inside the main tab area to open the Connections submenu.
Figure 6-8 Connections - Tab Submenu
3 Make a selection:
To... ...select...
expand the details for all listed items Expand all. The details for each item are
relating to the connection, show in a sub-list.
contract the details for all listed items Collapse all. The sub-list of details for each
relating to the connection, item are contracted.
hide all information relating to the firewall Hide KPF connections.

connections,
hide all information relating to local Hide local connections.

connections,
determine how the name of the Full path, File name, Description from the
application is displayed, submenu next to Displayed application
name.
The application icons next to the Show icons from the submenu next to
application path, file, or description, Displayed application name.
display address of the remote point, Resolve address.
display the port connected to the remote Resolve port.

point,
display the protocol used to connect to the Resolve protocol.

remote point,
6-6
Working with The Statistics tab lists system statistics for intrusion detection and Web content filtering.
Statistics
Figure 6-9 Statistics - Statistics on number of blocked intrusions and undesirable Web items
There are six statistical groups:

NIPS – Lists the number of detected intrusions:
• High priority — critical attacks
• Medium priority — medium level priority intrusions (e.g. service blocking)
• Low priority — low level priority intrusions (e.g. suspicious activities)
• Port scans — so called Port Scanning
Advertisements – Lists the number of blocked ads and web pages components:
• Advertisements — number of objects blocked by ad filtering rules
• Popups — number of blocked pop-up and pop-under windows
Scripts – Lists the number of detected scripts.
• JavaScripts — number of filtered JavaScript items
• VBScripts — number of filtered Visual Basic Script items
• ActiveX — number of filtered ActiveX components
HIPS – Number of detected attacks:
• Buffer overflow — number of buffer overflow attempts
• Code injection — number of code injection attempts
Privacy – Number of objects blocked by the Privacy function:
• Referers —number of Referer items filtered from the HTTP header
• Private information — number of blocked private items that were to be sent
Cookies – Number of filtered cookies based on the following types:
• Persistent cookies — number of filtered cookies
• Session cookies — number of filtered temporary cookies
• Foreign cookies — number of filtered third party cookies
Click on the blue heading for a group to view the complete statistics for that heading in the Logs &
Alerts section. See Logs & Alerts, page 11-1, for more information.
6-7
To view statistics for a specific time frame

1 Click Overview; then, click the Statistics tab.
2 Select a time frame from the drop-list.
Figure 6-10 Statistics – Show Statistics... Drop-List
3 To reset all monitored statistics, click Reset all statistics. A confirmation dialog box opens.
• Click Yes to confirm the reset.
• Click No to cancel the reset.
6-8
Setting Set user preferences and advanced firewall parameters in the Overview section on the
Preferences tab.
Firewall
Preferences
Figure 6-11 Overview - Preferences Tab
To configure firewall preferences

1 Select Overview; then, click the Preferences tab.
2 Click Check now to see if there are any updates. This step is important if the user interface is
being accessed for the first time. If a new version is found at the update server, users can
download and install it. If the users already have the latest version, the following dialog box
opens:
Figure 6-12 Check for new version — New version is not available
6-9
3 Make a selection:
To... ...select...
set the firewall to automatically check for Automatically check for updates.
updates,
check for beta releases of new versions, Check for beta release. Beta versions are
versions of a program that are still being
developed and tested. Therefore, they might
operate smoothly and bugs may occur. Use
the Select this option to participate in
product testing.
generate a file that contains debugging Generate crash dump (useful when
information if the application crashes, reporting problem to Sunbelt Software).
In the event of a crash, a file containing
information relating to the crash is created,
and the Assist utility is launched. This utility
analyzes the crashdump file and decides
whether it has anything in common with
Sunbelt Kerio Personal Firewall. If the crash
is related to the firewall, the Assist Utility
provides Sunbelt Software with information
relevant to the crash to we can provide an
detailed analysis of the problem.
Note: Any received information will be used only for Sunbelt Kerio Personal
Firewall debugging. It will not be used for another purpose nor it will be passed on
to other parties.
6-10
Configuration
Sunbelt Kerio Personal Firewall enables users to import and export application configurations to
and from XML files. The option to import and export configuration files helps the firewall back-up,
recover and restore important application parameters.
To back up and restore application configuration files
2 Make a selection:
To... ...click...
open and restore configuration files, Import. Select the file to import from the
Source file selection window; then, click
Open. A confirmation dialog box opens if
the import was successful. Click OK.
backup the current configuration files, Export. Select folder in which to store the
file from the KPF 4.x file selection window;
then, click Save. A confirmation dialog box
opens if the import was successful. Click
OK.
Note: Encrypted configuration files cannot be imported.
Password Protection
It is possible to configure Sunbelt Kerio Personal Firewall so that it can be accessed only through
password authentication (only authorized users are then allowed to modify settings). In such case,
unauthorized users are allowed only to view the configuration; a password is required to make
changes.
Figure 6-13 Password Protection
Users can set a system password from the Preferences tab. If password protection is enabled, a
password is required to make any changes in the firewall configuration. We recommend that
authorized users logout using the Logout button after making changes so unauthorized users
cannot modify the configuration. It is also possible to log out from the menu accessed by right-
clicking the icon in the System Tray.
6-11
To set a password
2 Select the Enable password protection check box. The KPF - change password dialog box
opens.
Figure 6-14 Enable password protection
3 If a password was set previously, type it in the Old password field. If not, this field is grayed
out.
4 Type the new password in the New password field; then, retype it in the Retype password
field.
5 Click OK to set the password, or click Cancel to close the dialog box without setting a
password. If the password was set successfully, a confirmation dialog box opens. Click OK.
Note: Only users with an authorized password can administer Sunbelt Kerio
Personal Firewall form a remote location. If the Enable password protection option
is disabled, remote administration cannot be enabled. The option is greyed out.
6 To all the this computer to be administered from a remote location, select the Allow remote
administration of this computer check box.
6-12
Remote Administration
Users can administer Sunbelt Kerio Personal Firewall from a remote location. All settings and
functions can be accessed from a remote computer.
To access Sunbelt Kerio Personal Firewall from a remote computer
1 Select the Overview section; then click the Preferences tab.
2 Select the Enable password protection check box. The Change Password dialog box opens.
Type the password information in the appropriate fields; then click OK.
3 Select the Allow remote administration of this computer check box.
4 Make a selection:
If... ...then...
Sunbelt Kerio Personal Firewall 4.x is select Remote Firewall Administration from
installed on the remote computer, the Sunbelt program group; then, run it.
Sunbelt Kerio Personal Firewall is not copy the kpf4gui.exe, KTlibeay32_0.9.7.dll,

installed on the remote computer, KTssleay32_0.9.7.dll and KTzlib.dll files
from the local workstation (from the
C:\Program Files\Sunbelt\Personal Firewall
4 directory) and run them on the remote
workstation.
Note: If you intend to use a version of the
interface in a language other than English,
copy the trans subdirectory.
5 Type the appropriate information in the Host and Password fields.
Figure 6-15Access from a Remote workstation
6 To redirect alerts and notifications to the remote computer, select the Redirect events to this
session check box. After a successful connection the host name or IP address is displayed in
the header of the configuration window.
7 Click Connect to establish connection with the remote computer.
Note: Connection to a remote administration is allowed by the internal Sunbelt

Kerio Personal Firewall policy. This means that it is not necessary to define
special network security rules to enable remote administration.
6-13
After successfully connecting to the firewall, the Sunbelt Kerio Personal Firewall icon in the
System tray has an R, symbolizing the remote connection. Right-click the icon to open a menu that
provides the following functions:
Figure 6-16 Remote administration — Context menu of the Systray icon
• Disable firewall – Select this options to deactivate the firewall (all security functions are
disabled).
• Stop All traffic – Select this option to stop incoming and outgoing traffic.
• Configuration – Select this option to open the user interface and configure necessary
settings.
• About – Select this option to view information about the individual versions of Sunbelt Kerio
Personal Firewall components as well as license information.
• Disconnect – Select this option to disconnect from the remote Firewall and close the interface
on the computer from which the remote access was granted.
Note: The following functions are not available for remote connections:
• Stop all traffic (this function would block connection of the Personal
Firewall Engine with the Personal Firewall GUI operating on the remote
host)
• Logout (users must be authenticated to be allowed to administer the
firewall remotely and they will be logged out automatically when
disconnected from the Personal Firewall Engine)
• Exit (the Personal Firewall Engine service cannot be closed remotely; the
Personal Firewall GUI running on the remote host can be closed using the
Disconnect option).
Preferred language
Users can select preferred language for the Sunbelt Kerio Personal Firewall user interface.
To set a preferred language
2 Select a language from the Preferred language drop-list.
3 Click OK or Apply. Close the interface; then re-open it. Notice that the new language is used.
The Personal Firewall Engine detects which language versions are available; then, populates the
Preferred language drop-list with the available versions.
Preferred language also affects the language in the help file. If a corresponding help file for the
language is not found, Sunbelt Kerio Personal Firewall uses the English version of the help file.
6-14
Network Security
Defining the network communication rules is one of the most important parts of the Sunbelt Kerio
Personal Firewall configuration. This chapters covers the following topics:
Section Page
What is Network Security? 7-2
Rules 7-2
How Are Rules Applied 7-2
Application Rules 7-3
Packet Filter Rules 7-7
Predefined Rules 7-20
Trusted Area 7-22
Advanced Settings 7-23
Boot Time Protection 7-24
Detecting New Network Interfaces 7-25
Checking Dialed Telephone Numbers 7-26
7-1
What is The Network Security section controls all incoming and outgoing communication to and from your
computer or computer network. Sunbelt Kerio Personal Firewall includes a set of predefined
Network network security rules (i.e. for DNS, DHCP, etc.). These rules are separate from user-defined rules
Security? and can be enabled or disabled at any time.
Rules The following network communication rules are available:

• Applications – simple rules that define how the firewall behaves during network
communications. Application rules are generated automatically. This process is based on the
user responses to connection alerts regarding unknown network traffic.
• Advanced Packet Filter – detailed rules for network communications. Packet filter rule are
defined manually in the Sunbelt Kerio Personal Firewall application or generated automatically
based to user responses to connection alerts.
• Predefined – Sunbelt Kerio Personal Firewall includes set of predefined rules which are
independent from individual applications. For these rules, only actions which will be taken can
be set (allow or deny rule). Predefined rules can be either enabled or disabled (one option for
all the rules).
How are When a communication is detected, individual modules apply rules in a pre-defined order. If the
communication meets the criteria for a rule, a corresponding action is taken. If one rule is applied
Rules
to a communication, no more rules are applied. Rules for individual Sunbelt Kerio Personal
Applied? Firewall modules are applied in the following order:
1 Intrusion detection system (IDS)
2 Network traffic Inspection (automatically lets in/out packets which belong to permitted
connections),
3 Internal rules for Sunbelt Kerio Personal Firewall components — i.e. permission to access a
web server in order to check and download new versions of the program
4 Advanced packet filter rules
5 Predefined network security rules
6 Application rules
Note: If individual firewall components are disabled, corresponding rules are not
applied. Internal firewall rules cannot be switched off.
7-2
Application View and modify Application rules on the Applications tab under the Network Security section.
Rules Note: The following information is for cases when Sunbelt Kerio Personal Firewall
is in Advanced mode. In the Simple mode, all outgoing traffic is allowed and all
incoming communication is denied for any application (both for trusted zones and
the Internet) and rules are not automatically created.
Figure 7-1 Network Security – Applications Tab
Applications Tab Column Headings

There are five headings under the applications tab. They are described below.
Description – Lists the application icon and description. If there is no icon, a system icon is used.
If a description is unavailable, the name of the executable file is listed.
Note: Users cannot edit icons and descriptions of applications in Sunbelt Kerio
Personal Firewall.
Trusted, Internet In/Out – Lists the settings for how applications behave during a connection.
Select one of the following actions for each zone and direction:
• permit – allows the connection
• deny – blocks the connection
• ask – asks the user to permit or deny the connection. Anytime a new connection is detected,
an alert dialog box opens and ask the user to make a decision.
Note: Rules can be edited in the Connection Alert dialog using the Create a rule
for this communication option. If this option is selected, the default Ask action is
switched to an action selected by the user.
Log – Lists whether or not communication that meet the rule is logged into the Network log.
Alert – Lists whether or not an alert connection that meets the rule is detected.
Use the Edit button to edit a selected rule. Use the Remove button to remove a selected rule. Use
the Refresh button to refresh the rule list.
7-3
Defining Rules
Only one rule can be defined for each application. The order in which the rules are defined is not
important.
To configure basic application rules
1 Click Network Security; then click the Applications tab.
2 Make a selection:
To... ...select...
enable the Network Security Module, Enable Network security module check box.
edit a rule, a rule on the list; then click Edit. The

Connection settings for .exe dialog box
opens. See To edit the settings for an
application rule, page 7-5.
remove a rule from the list, a rule on the list; then, click Remove. A
confirmation dialog box opens:
• Click Yes to remove the rule.
• Click No to cancel the removal.
3 Make a selection for new rules and refreshing the current list:
To... ...click...
add, edit, insert, or remove an advanced Packet filter.... The Network Security -
packet filter rules and/or IP group, Advanced Packet Filter dialog box opens.
refresh the current list of rules, Refresh.
Open the a help window relating to the Help.

current tab,
apply changes to the Applications tab, OK.

save them, and close the Sunbelt Kerio
Personal Firewall configuration window,
cancel changes to the Applications tab Cancel.

without saving them, and close the
Sunbelt Kerio Personal Firewall
configuration window,
apply changes to the Applications tab and Apply.

keep the Sunbelt Kerio Personal Firewall
configuration window open,
7-4
Application Rule Settings

You can edit the settings attached to each application for which a rule is created. Use the settings
to permit or deny connections to and from trusted areas and the internet. They also determine
whether or not to record the details of each connection to a network log.
To edit the settings for an application rule
1 Click Network Security; then, the Applications tab.
2 Select an application from the list; then, click Edit. The Connection Settings dialog box
opens. The name of the application is displayed at the top of the box. The icon and full path to
the application executable file is listed below the name.
Figure 7-2 Edit Application Rule
3 Make a selection:
To... ...select...
set the permissions for connections from Deny, Ask User, or Permit from the
a trusted area, Incoming connection drop-list under the
Connections from/to trusted area section.
set the permissions for connections to a Deny, Ask User, or Permit from the
trusted area, Outgoing connection drop-list under the
Connections from/to trusted area section.
set the permissions for connections from Deny, Ask User, or Permit from the
the Internet, Incoming connection drop-list under the
Connections from/to Internet section.
set the permissions for connections to the Deny, Ask User, or Permit from the
Internet, Outgoing connection drop-list under the
Connections from/to Internet section.
log communications that meet this rule to the Log communication to network log
the network log, check box.
enable the Alert dialog box for the Show alert to user check box.
connections meeting this rule,
7-5
Default Rule
The Another application rule (the default rule) is always located at the end of the list of application
rules. This rule applies to network traffic that does not match any other rule. The default rule is
highlighted in the rule list. It cannot be removed.
Note: You can set actions in the Any other application rule in order to switch
between firewall modes:
• If at least one ask action is in the rule, the firewall works in the Advanced
mode. Whenever unknown traffic is detected, you are asked to take an action;
the traffic is handled according to your decision.
• If only the permit and/or deny actions are set for zones and directions, the
firewall works in Simple mode. If unknown traffic is detected, a corresponding
action is taken without asking the user.
The default rule is also used as a template for new rules that are automatically
created after you click Permit or Deny on an Alert dialog box.
Additional Application Options

You have several options available from within the Applications tab. Use the procedure below to
manage those options
To manage individual application rules
1 Right-click an application to open a menu that lists additional options:
Figure 7-3 Rules for applications – Context menu
2 Make a selection:
To... ...select...
edit an rule, Edit.
remove a rule, Remove.
list an application by its path, name, or Displayed application name; then, one of
description, the following from the sub-menu:
• Full path
• File name
• Description.
Use the Show icon option to enable/disable
application icons before the application
name or description.
7-6
3 Do one of the following to update the permissions under the Trusted or Internet columns:
• left-click to switch between the Permit, Deny and Ask actions.
• right-click to open a context menu and select an action.
Figure 7-4 Rules for applications – Actions
Packet Filter Packet filter rules allow you to define advanced rules for specific network communication. You can
define the local application and traffic direction, protocol, remote IP addresses, and remote and
Rules
local ports.
Filter Rules
Rules for packet filter can be defined as follows:
• Manually – Open the Advanced Packet Filter dialog where packet filter rules can be viewed,
edited and removed (for details see below).
• Automatically – the Connection Alert dialog box pops-up when a connection does not meet a
rule; if the Create an advanced filter rule option is selected, a packet filter rule is created
instead of a standard rule.
Note: Packet filter rules do not distinguish between trusted area and the
Internet (an IP address, subnet, IP group, etc. are always specified in the
rule).
To manually define packet filter rules

2 Click Packet Filter.... The Network Security - Advanced Packet Filter window opens.
Figure 7-5 Advanced Packet Filter Rules – Filter Rules
7-7
The Filter Rules tab lists the rules for advanced packet filters. The rules are listed in the order
in which they will be applied when a connection is detected. The first rule that the traffic meets
is applied. The rules are applied from top to bottom.
Figure 7-6 Packet Filter Rules
Packet filter rules can also be classified by groups. If a rule is in a group, it does not affect how
rules are applied. Rules that are part of a group are for reference only. Rule groups are
displayed on the left of the Filter Rules tab.
Figure 7-7 Rule groups of packet filter
3 Make a selection:
To... ...click...
edit an existing rule, Edit. The Filter rule dialog box opens.
add a new rule, Add. The Filter rule dialog box opens.
insert a rule above an item on the list, Insert. The Filter rule dialog box opens.
select a rule in the list; then,
remove a rule from the list, Remove. The rule is deleted from the list.
refresh the current list of rules, Refresh. The list of rules returns to it’s
original state. For example, if you deleted a
rule without clicking Apply, the rule is added
back to the list.
move a rule down on the list,

.
move a rule up on the list,

.
7-8
Use the scroll bar to view more information about the rules.
Note: If no rule is selected, only the Add button is available.

Hold down the Ctrl or the Shift key to select multiple rules. Groups of rules
selected in this way can only be moved or deleted. Use the Edit button to edit
the first selected rule (at the top). The Insert button inserts a new rule before
the first rule of a particular group.
4 Click on a group name to view the list of rules included in the group. The following two groups
are predefined and they cannot be removed:
• All rules (“parent group”) — includes all packet filter rules.
• Default — includes all rules which have not been added into another group.
Note: Groups of rules cannot be created nor removed explicitly. New groups
can be created by entering a new group name during a rule definition. Groups
are removed automatically when the last rule is removed.
Inside Packet Filter Rules

It is important to understand how individual parts of a rule and their items are related in order for
you to correctly define the rules.
• As a whole, the rule is applied only to the network traffic that meets all of the conditions for the
Protocol, Local and Remote settings.
• Inside the rule, the parameters and settings for protocols, IP addresses and ports they are
applied individually. For example, the Local section lists two port ranges, 80-88 and 8000-
8080. The rule is applied when a remote port contains one of these ranges.
• As far as the items listed in the Remote section, they have to meet the exact criteria.
For example, the Remote entry is specified by the IP address 65.131.55.1 and port 80. This
condition is met by traffic that includes a remote computer with the IP address 65.131.55.1
using port 80.
Ensuring Proper Functionality
The Protocol, Local and Remote settings are closely related. Follow the suggestions below to
ensure the rule functions properly:
• The port definition is helpful only for TCP and UDP protocols (ports are ignored by other
protocols). If the rule is available for any protocol (the Protocol is not specified); then, the port
numbers are not applicable since they are used only for traffic through TCP or UDP protocols.
• The application service is specified by port numbers and by protocols. In the packet filter rule
dialog box, a service is represented by port only — the protocol must be entered manually.
For example, to create a rule for incoming HTTP connections (i.e. to enable access to a Web
server on a computer that is protected by Sunbelt Kerio Personal Firewall), you must add a
port in the Local section and select the HTTP service — this automatically sets the port value
to 80. Next, go to the Protocol section to set the TCP protocol that is used by the HTTP
service.
• The most common type of network traffic is the client to server communication. The server
listens on a predefined port for an incoming connection. A client starts the connection by
demanding a local port from the operating system that will be used for the connection. Unlike
the server port, any port can be used temporarily for a client.
Example 1: To enable access to a Web server on a local computer with IP address
60.80.100.120, define the rule as follows:
• Protocol — [6] TCP (HTTP service uses the TCP protocol)
7-9
• Local — Port: [80] HTTP (Web server runs on a local computer)

• Remote — Address: 60.80.100.120. A client represented by a Web browser runs at a
remote host. The port is unknown, that is why only the IP address is specified.
Example 2: To block connections to the Web server with IP address 90.80.70.60, define the
rule as follows:
• Protocol — [6] TCP
• Local — This entry is left empty because the client port cannot be specified.
• Remote — Port: [80] HTTP, Address: 90.80.70.60
Adding a Filter Rule
Several steps are required to add a filter rule. Make sure you have the correct protocol, port, and
IP address information before creating the rule.
To add a rule
3 Click Edit. The Filter rule dialog box opens.
Figure 7-8 Filter Rule Dialog Box - Add a Rule
7-10
4 Make a selection regarding the description, application and groups:
Figure 7-9 Add Rule - Description, Application, Group
To... ...select...
add a description or name for the new the Description field; then type the
rule, description or name. We recommend typing
a brief rule description (purpose, application
name, etc.). This description is for reference
only. The name of the local application is
inserted for rule that are automatically
generated.
add the location of the application to the location from the Application drop-list,
which the rule is applied, or click Browse, then select the application
from the Application selection dialog box.
You can also type the location manually. if
you leave this field blank, a general rule will
be created and applied to all applications.
assign the new rule to a group, the group from the Group drop-list.
log communications that meet the criteria the Log to network log check box.
for rule in the network log,
enable an alert dialog box when network the Show alert to user check box.
traffic meets the criteria for this rule,
7-11
5 Make a selection regarding protocol parameters:
Figure 7-10 Add Rule - Protocol Settings
To... ...click/select...
add parameters for a protocol to which the Add. The Filter rule - protocol dialog box
rule will be applied, opens. See To add filter rule protocol
parameters, page 7-15.
edit parameters for a protocol to which the Edit. The Filter rule - protocol dialog box
rule will be applied, opens.
delete protocol parameters, Remove. The parameters are deleted from

the list.
6 Make a selection regarding local port settings:
Figure 7-11 Add Rule - Local Settings
add a single port or port range, Add. Select Add port or Add port range from
the drop-list. The Filter rule - port dialog
box opens. See To add local port settings,
page 7-17.
edit a single port or port range, a port or port range; then click Edit. The
Filter rule - port dialog box opens.
delete a single port or port range, a port or port range; then, click Remove.
7-12
7 Make a selection regarding remote settings:
Figure 7-12 Add Rule - Remote Settings
add a remote port, IP address, or IP Add; then make a selection from the drop-
group, list:
• Add port
• Add port range
• Add address
• Add address range
• Add address / mask
• Add IP group
The Filter rule - port dialog box opens.
edit a remote port, IP address, or IP a item from the list, click Edit; then make a
group, selection from the drop-list:
• Add port
• Add port range
• Add address
• Add IP group
remove a remote port, IP address, or IP a item from the list; then, click Remove.
group,
7-13
8 Make a selection regarding the direction of the communication and an action to take when a
network communication meets the rule:
Figure 7-13 - Network Communication Direction and Actions
To... ...select...
apply the rule to incoming and outgoing Both under the Direction section. This is
network connections, the default selection.
apply the rule only to incoming network Incoming under the Direction section.
connections,
apply the rule only to outgoing network Outgoing under the Direction section.
connections,
permit a network communication that Permit under the Action section. This is the
meets the rule, default selection.
deny a network communication that Deny under the Action section.

meets the rule,
9 Click OK to add the new rule.
7-14
Protocol Parameters
Use the following procedure to set protocol parameters for the rule. Typically, a single protocol is
used for traffic (i.e. TCP or UDP), however, some applications use multiple protocols concurrently
(i.e. TCP and UDP using the same ports). If the Protocol is left empty, the rule is applied to any
protocol. If an application uses TCP and UDP protocols at various ports, two different packet filter
rules must be defined.
To add filter rule - protocol parameters
3 Click Add. The Filter rule dialog box opens.
4 Click Add under the Protocol section. The Filter rule - protocol dialog box opens.
Figure 7-14 Add Rule - Protocol Filter
5 Select the type of protocol from the Name drop list. The number (specifying the protocol in the
IP packet header) automatically populates the Number field, and a description for the rule
populates the Description field. See the Glossary, page 13-1, for complete definitions.
• TCP – Transmission Control Protocol
• UDP – User Diagram Protocol
• ICMP– Internet Control Message Protocol
• IGMP – Internet Group Management Protocol
If you select the ICMP protocol, the Types field appears below the Description field.
Figure 7-15 Add Rule - Protocol Filter - Types Field
7-15
To use more than the general ICMP protocol, click Select to open the Filter Rule - protocol
[ICMP types] dialog box.
Figure 7-16 Add Rule - Protocol Filter - ICMP Types
Select the check box(es) next to the protocol types; then click OK. You return to the Filter rule
- protocol dialog box. The numbers relating to the protocols, are listed in the Types field. If
more than one protocol is selected, the numbers are separated by commas.
6 Click OK to add the Protocol.
7-16
To add local port settings

4 Click Add under the Local section; then select Add port or Add port range from the drop list.
To add remote port, IP address, or IP group settings

4 Click Add under the Remote section; then make a selection from the drop-list:
• Add port
• Add port range
• Add address
• Add IP group
5 Type the required information; then click OK.
To edit a rule
3 Click Edit. The Filter rule dialog box opens.
4 Edit the necessary parameters; then click OK.
7-17
IP Groups
IP groups enable packet filter rules to be easily defined. Use the groups to specify the Remote
entry in the dialog for packet filter rule definition. IP groups can be viewed and defined in the IP
Group tab of the Advanced Packet Filter dialog box.
Figure 7-17 Packet filter — IP address groups
The tab contains two columns:

• Group name – name of an IP group. Use the “+” to expand a list of items included in a
particular group.
• Definition – definitions of individual items of a particular group
Clear an item to temporarily disable a rule. This can be helpful for situations such as testing or
debugging. It is not necessary to remove items, then define them again.
Click Add or Edit to open a dialog box to add or modify an IP group.
Figure 7-18 Packet filter — Addition of IP address group
Is enabled
Select or clear this option to enable or disable the item. This option is identical to the matching field
next to the item name in the IP Groups tab. If the Is enabled is cleared, the item is not active. This
means that it is not included in the group.
7-18
Group name
Name of the group to which the item will be included. Specify the item using one of the following
methods:
• select a name from the menu — the item will be added to this group
• enter a new group name — this group will be created automatically and the item will be added
to the new group
Type
Type of the new item:
• Host — IP address of one computer
• Address range — define the First and Last address to specify IP range
• Address / mask — subnet defined by an IP address and mask
• Address group — another IP address group (IP addresses can be embedded into each other)
7-19
Predefined Sunbelt Kerio Personal Firewall contains several predefined rules. These rules are independent
from individual applications; they are applied globally. Decide whether individual predefined rules
Rules will be used or not.
To manage predefined network security
1 Click Network Security; then the Predefined tab to view a list of the predefined rules for
network traffic.
Figure 7-19 Network Security - Predefined rules
Predefined rules cannot be added or removed. However you can set actions relating to
Trusted areas and the Internet for each rule.
2 To switch between permit and deny, click on the action (under Trusted or Internet) for the rule.
Note: The Ask action is not available for predefined rules.
3 To enable or disable (respectively) predefined rules for network communication, select or clear
the Enable predefined network security option. If this option is not selected, predefined rules
are ignored and Sunbelt Kerio Personal Firewall only uses application and advanced packet
filter rules.
4 To restore actions for predefined rules to default values, click Set to defaults.
Predefined Rules
Brief descriptions for the predefined network security rules are listed below.
Internet Group Management Protocol
The IGMP used to subscribe groups of multicast users. This protocol is disabled by default
because can be misused easily. Do not to enable this protocol unless you run applications that use
multicast technologies (typically for transmitting audio or video data through the Internet).
Ping and Tracert in, Ping and Tracert out
Programs Ping and Tracert (Traceroute) trace routes in a network to detect response of a remote
computer. This is achieved through ICMP (Internet Control Message Protocol) messages.
First, a possible attacker tests if an elected IP address responds to control messages. Blocking
these messages makes your computer invisible and reduces the chances of possible intrusions.
All incoming Ping and Tracert messages (from the Internet) are blocked by default. However,
these messages are allowed from the trusted area (i.e. an administrator can test availability of a
7-20
computer by the Ping command). Outgoing Ping and Tracert messages are permitted for both
areas. These methods are usually used to verify network connection functionality or availability of
a remote computer.
Other ICMP packets
Rules for other ICMP messages (i.e. redirections, destination is not available, etc.)
Dynamic Host Configuration Protocol
DHCP is used for automatic definition of TCP/IP parameters (IP address, network mask, default
gateway, etc.).
Warning: DHCP denial might cause that network connection of your computer will
not work if TCP/IP parameters are defined through this protocol.
Domain Name System

DNS is used to translate computer names to IP addresses. At least one connection to a DNS
server must be permitted.
Virtual Private Network
Virtual private network (VPN) is a secure connection between two local networks (or between a
remote client and a local network) via the Internet using an encrypted channel. VPNs allow
individuals and organizations to use the Internet as a secure means of communication. The VPN
rule allows or denies a link to the local computer through the PPTP protocol.
Broadcasts
Rules for packets with general addresses. In the Internet, this rule is also applied on packets with
multicast addresses.
7-21
Trusted Area Sunbelt Kerio Personal Firewall application rules uses two types of IP groups: trusted area and the
Internet. Separate actions for incoming and outgoing traffic can be defined for each area. Trusted
area is a user-defined IP group. Addresses that are not defined as trusted are automatically added
to Internet zone.
Click Network Security; then, the Trusted area tab to define a trusted area.
Figure 7-20 Network security / Trusted area section — Trusted area definition
Trusted areas can include any number of IP addresses, IP address ranges, subnets or networks
connected to a particular interface. It is possible to specify an interface on which particular IP
addresses are permitted for each item (protection from false IP addresses).
The Trusted area includes the predefined Loopback item. This item cannot be removed. It is a
local loopback address and it is always considered trusted.
To add/edit a trusted area
1 Click Add or Edit. The Zone definition dialog box opens.
Figure 7-21Trustworthy zone definition
2 Type a description for the area in the Description field. This field is for reference only. It is
recommended to provide description of the IP range, network, etc.
3 Select an adapter (interface) for which the IP addresses are used. This function protects users
from false IP addresses — whenever a packet with a trusted address is received from an
adapter that is not connected into the particular network, the packet is not trusted.
Select Any if you do not want Sunbelt Kerio Personal Firewall to check adapters from which
packets with a particular IP address were sent.
7-22
4 Select the type of item the address represents for the Address type drop-list.
• Computer — a particular IP address of a computer (or a network device)
• IP address / mask — subnet defined by IP address and mask of the network
• IP address / range — IP range defined by first and last IP address
• All addresses — any IP address
Advanced Use the Advanced tab to set more advanced network security parameters.
settings
Figure 7-22 Network Security / Advanced section
Boot time protection

Select or clear the Block all incoming connection attempts... option to enable/disable the computer
during the time of booting. This option is enabled by the default. Disabling it is useful for testing
and trouble-shooting (e.eg. to solve problems with remote administration of the host protected by
Sunbelt Kerio Personal Firewall). For security reasons, it is recommended that you do not disable
this option unless necessary.
Enable gateway mode
This option switches the firewall to a special mode – protection of the Internet gateway (the firewall
will run on router or NAT router).
If this option is selected, Sunbelt Kerio Personal Firewall allows packets with destination ports from
which no local application is running, or packets with destination IP addresses that are not local!
Use Advanced logging to log detected packets that include destination ports not belonging to any
process in the local operating system. These packets are dropped automatically, however, they
might point at an intrusion attempt (port scanning).
Note: The gateway mode and the advanced logging cannot be combined. In the
gateway mode, these packets are automatically let in (they are addressed to other
hosts).
7-23
Boot time Sunbelt Kerio Personal Firewall's network traffic low-level driver protects computers even when
the firewall is not running. This type of protection provides security for your computer at startup,
Protection during product updates, or when the Personal Firewall Engine service is not launched for any
reason.
This function is enabled by default. It can be disabled or enabled in the firewall's GUI whenever
necessary.
If Boot time protection is enabled, Sunbelt Kerio Personal Firewall's network traffic low-level driver
behaves as follows:
• Only outgoing traffic is allowed and all incoming traffic is blocked upon startup. This implies
that the server is always protected, however, its services are not available in this mode.
• If the Personal Firewall Engine does not start within in 5 minutes of the operating system
startup, the driver is switched to the mode when it allows any traffic. This behavior ensures
that communication with the server is not blocked in case the Personal Firewall Engine cannot
be started for any reason.
• After the Personal Firewall Engine starts, the firewall permits and denies traffic in accordance
with the defined network security rules.
• When the operating system is shut down (or being restarted), the firewall's driver blocks any
incoming or outgoing traffic. This behavior ensures that the server is protected even when the
Personal Firewall Engine service has stopped, but the network subsystem is not active.
• When the Sunbelt Kerio Personal Firewall service is stopped, the driver is switched to the
mode where it permits all network traffic.
7-24
Detecting If the Advanced mode of the firewall is selected as default during the installation, the Sunbelt Kerio
Personal Firewall automatically detects active network interfaces of the computer on which it is
New Network installed. After each new interface is detected, you are asked whether the interface is connected to
Interfaces a trustworthy network.
Figure 7-23 Detection of new network interfaces
The name in the Name field is name of a corresponding network adapter. Below it is the IP
address of this adapter and the mask of the network to which it is connected. Name of the
interface can be edited (it is recommended that you provide a short and apt description, e.g.
Network card, Internet line, etc.). ID of the adapter detected at the corresponding controller is used
as the name by default.
if you click Yes, it is, the subnet to which the interface is connected adds the IP address to the
group of trustworthy IP addresses (Trusted area). If you click No, it isn't, it is considered as a part
of the Internet.
• Anytime, group of trustworthy IP addresses can be edited. Whenever any other interface is
added or enabled or an interface is connected to a new subnet, Sunbelt Kerio Personal
Firewall detects it and the New network interface dialog is opened.
• As to dial-ups, the telephone number which is being dialed is displayed. User can enable or
disable this connection.
• Sunbelt Kerio Personal Firewall finds out whether the telephone number has been changed
since the dial-up was dialed the last time (this protects users from undesirable change of dial-
up configuration).
7-25
Checking Sunbelt Kerio Personal Firewall can detect and block changes to dialed telephone numbers. This
protects users from their dial-ups being redirected to high-price services. Connections can be
Dialed redirected without informing the user (for example by an ActiveX object on a Web page). If a
Telephone change is detected, Sunbelt Kerio Personal Firewall asks user to accept or reject the change. If
Numbers the change is rejected, the line is hung-up immediately.
How it works
As soon as an unknown connection is attempted, an alert asks the user whether or not the
interface is connected to a trustworthy network (as in case of a new network adapter. The dial-up
is considered as an interface in the Network security section.
Figure 7-24 Detection of new dial-up number
If you click Yes, a dialog box opens. Set the interface parameters relating to the dial-up number.
Figure 7-25 Checking of dialing telephone numbers settings
7-26
The following options are available for the Dialup number item:
• Ask — whenever a number is dialed, Sunbelt Kerio Personal Firewall asks you to accept or
reject this number. If accepted, the firewall remembers the number. Otherwise, the line is
hung-up immediately. If the new number is accepted, the Always use this number alternative is
selected automatically and the number is saved.
• Always use this number — this option tell the firewall that the dial-up number is not to be
changed. Whenever a change is detected, the New dial-up number dialog box opens and the
user is asked to accept or reject the change.
Figure 7-26 Dial-up number changed
The Dial-up number item provides the new telephone number (the number that is currently set
for the dial-up connection).
Click Yes, continue so that Sunbelt Kerio Personal Firewall accepts the number, or No, to hang
up to reject the change.
• Do not monitor number change — the firewall ignores changes to the dial-up number and
always permits the line to be dialed. This option can be used in cases such as testing.
Warning: This option is not secure (the firewall does not detect possible
changes of the dial-up number) and it is not recommended to use it for the
default dial-up connection!
7-27
Internal Firewall Rules
Sunbelt Kerio Personal Firewall includes predefined rules that allow network communication for
specific cases (i.e. license registration, product update, etc.). These rules also allow some
applications (system components) to startup. Internal firewall rules are applied prior to user-
defined rules. Internal rules cannot be disabled nor modified. This chapter covers the following
topics:
Section Page
Internal Network Traffic Rules 8-2
System Security Rules 8-4
AVG Component Rules 8-6
8-1
Internal Internal network traffic rules enable network traffic between individual firewall components during
local or remote administration, Sunbelt Software registration, or check for new versions. Internal
Network network traffic rules are not displayed in Personal Firewall user interface.
Traffic Rules
Remote configuration
This rule allows a remote Personal Firewall GUI to connect to the Personal Firewall Engine. If
remote administration is enabled, connections from any host are permitted. If not, only a
connection from local host is enabled.
Condition Application Direction Protocol Rem. port Rem. address
Rem. adm. enabled kpf4ss.exe incoming TCP+UDP 44334 any
Rem. adm. disabled kpf4ss.exe incoming TCP+UDP 44334 localhost
Communication between the Personal Firewall GUI and the Engine

This rule allows the Personal Firewall GUI to connect to the Personal Firewall Engine (connection
to local administration).
Note: This rule allows only local connections (i.e. connections to the Personal
Firewall Engine installed on the same computer). In case of remote
administration, the Personal Firewall GUI is considered as a standard network
application and network traffic policy is applied.
Unconditional kpf4gui.exe outgoing TCP+UDP 44334 any
Communication from the Personal Firewall Engine to the GUI

This rule allows the Personal Firewall Engine to connect to the Personal Firewall GUI (displaying
dialogs, notices, warning messages, etc.).
Rem. adm. enabled kpf4ss.exe outgoing TCP+UDP any any
Rem. adm. disabled kpf4ss.exe outgoing TCP+UDP any localhost
DNS Queries
This rule allows Sunbelt Kerio Personal Firewall components to send DNS queries to any DNS
server. DNS queries are used to map host names that will be displayed in the Personal Firewall
GUI, resolve destination IP addresses when accessing a remote administration, etc.
Unconditional kpf4ss.exe both UDP 53 any
Unconditional kpf4gui.exe both UDP 53 any
8-2
Sending Crashdump Files

If sending crashdump files is enabled, this rule allows the files to be sent to a corresponding
server.
Sending assist.exe outgoing TCP any crashes.sunbelt.com

allowed
Logging of blocked pop-up and pop-under windows

If pop-up blocking is enabled, a special script, used for corresponding web pages, transmits
Personal Firewall Engine information about blocked pages. Traffic is allowed through a TCP
protocol, port (44501).
Unconditional any outgoing TCP 44501 localhost
Update checker
This rule allows access to servers where new versions of Sunbelt Kerio Personal Firewall can be
downloaded.
Note: The server is not specified since various servers can be used for this
purpose.
Rem.
Condition Application Direction Protocol Rem. port
address
Proxy server kpf4ss.exe outgoing TCP proxy_port* proxy_ip*
Direct access kpf4ss.exe outgoing TCP any any
The Personal Firewall automatically resolves the connection between the IP address and the port
proxy server.
Product registration
This rule allows Sunbelt Kerio Personal Firewall license registration on a corresponding server.
Proxy kpf4ss.exe outgoing TCP prx_port* prx_ip*

server
Direct kpf4ss.exe outgoing TCP 443 secure.sunbelt.com

access
The Personal Firewall automatically resolves the connection between the IP address and the port
proxy server.
8-3
Syslog
If logging to the Syslog server is enabled, this rule allows the Personal Firewall Engine to connect
to the Syslog server.
Syslog enabled kpf4ss.exe outgoing UDP sslg_port* sslg_ip*
IP address and port of the Syslog server specified in the Syslog section of the Settings tab.
System The rules listed below allow various components of the operating system to startup. Internal
system security rules are listed in this section. These rules cannot be removed, however, users
Security
can set actions for them (logging, notices, etc.).
Rules
Some of these internal rules are applied only in certain versions of Windows operating systems
(some system components differ in individual versions).
Rules for Operating System components
The following symbols are used in the description of system component rules to define file path:
• WIN_DIR — the main directory of the Windows operating system (typically, C:\WINNT for
Windows NT/2000, C:\WISK33lzNDOWS for other versions)
• SYS_DIR — system directory of Windows (typically, C:\WINDOWS\SYSTEM for Windows 98/
Me, C:\WINNT\SYSTEM32 for Windows NT/2000, and C:\WINDOWS\SYSTEM32 for
Windows XP)
Rules which are common to all versions of Windows
Application Description Start Modify Launch another
WIN_DIR\explorer.exe Windows Explorer Permit Ask Permit
Special rules for Windows 98/ME operating systems
SYS_DIR\systray.exe System Tray Permit Ask Permit
Special rules for Windows NT/2000/XP operating systems
SYS_DIR\services.exe Services app. Permit Ask Permit
SYS_DIR\winlogon.exe Logon app. Permit Ask Permit
Special rules for Windows 2000/XP operating systems
SYS_DIR\svchost.exe Generic Host Proc. Permit Ask Permit
8-4
Special rules for Windows XP operating system
SYS_DIR\logonui.exe Logon UI Permit Ask Permit
SYS_DIR\csrss.exe Client Server Permit Ask Permit
SYS_DIR\smss.exe Client Server Permit Ask Permit
SYS_DIR\svchost.exe Generic Host Permit Ask Permit

Proc.
Rules for Sunbelt Kerio Personal Firewall components

These rules enable individual Sunbelt Kerio Personal Firewall applications to run using special
auxiliary programs. The following rules are common to all supported versions of Windows.
The KPF_DIR expression represents a directory (path) where the Sunbelt Kerio Personal Firewall
is installed (typically, C:\Program Files\Sunbelt\Personal Firewall 4).
KPF_DIR\kpf4gui.exe* KPF GUI Permit Permit + log Permit
KPF_DIR\kpf4ss.exe* KPF Service Permit Permit + log Permit
KPF_DIR\assist.exe* Core dumper Permit Permit + log Permit
KPF_DIR\cfgconv.exe* Conf. conv. Permit Permit + log Permit
8-5
AVG If the AVG antivirus is detected when the Sunbelt Kerio Personal Firewall is started first time
(immediately after the installation or after the kpf.cfg configuration file is removed), the following
Component rules that allow network traffic for the antivirus components are automatically added to the Network
Rules security/ Applications section.
Figure 8-1 Network Security — Rules for AVG components
• The first rule allows the AVG E-mail Scanner component to communicate with mail servers. All
data between the mail client and servers passes through E-mail Scanner.
• The second rule enables automatic updates of the AVG and virus database at corresponding
servers.
User can change the rules for the AVG. If these rules are removed, Sunbelt Kerio Personal Firewall
treats the AVG communication as an unknown communication.
Warning: If you really use AVG, we recommend you not to remove these rules.
The removal might block automatic update (the antivirus would not be able to
detect new viruses), or problems with email might arise.
8-6
Intrusion Detection
Sunbelt Kerio Firewall uses three systems to prevent network intrusions and malware installation,
as well as behavior monitoring. This chapter covers the following topics:
Section Page
Intrusions 9-2
Network Intrusion Prevention System 9-3
Host Intrusion and Prevention System 9-5
Application Behavior Blocking 9-9
9-1
Intrusions Use the three systems in the Intrusions section protect your computer against harmful intrusions:
• Network intrusion prevention system (NIPS) — this system recognizes and blocks various
types of network intrusions by blocking network connections that might be used to transfer
dangerous data.
• Host intrusion detection and prevention system (HIPS) — this system recognizes and
blocks malware used by intruders or viruses to run malicious codes.
• Behavior Blocking — this system monitors application behavior, such as an application being
started by another process or modified application.
Figure 9-1 Intrusions - Main
9-2
Network Sunbelt Kerio Personal Firewall detects and blocks many types of network intrusions. It uses an
internal intrusion database that is automatically updated each time a new version of the firewall is
Intrusion installed or updated. This is one reason you should update Sunbelt Kerio Personal Firewall after
Prevention receiving an alert that an update is available.
System The Sunbelt Kerio Personal Firewall uses the Network Intrusion Detection and Prevention System
(NIPS) (NIPS) to scan network traffic and block attacks based on a database of known attack signatures.
Note: NIPS rules are stored in the config\IDSRules subdirectory of the installation
directory (C:\Program Files\Sunbelt\Personal Firewall 4\config\IDSRules by
default).
NIPS Parameters
NIPS parameters enable you to set specific actions for high, medium, and low priority intrusions,
as well as whether or not the intrusions will be recorded in the NIPS log.
To enable NIPS and set NIPS parameters
1 Click Intrusions. The Main tab opens. See Figure 9-1 Intrusions on page 9-2.
2 Select the Enable Network Intrusion Prevention System (NIPS) check box.
3 Click Advanced. The Intrusion Prevention System Settings dialog box opens.
Figure 9-2 Intrusions — NIPS Settings
9-3
4 Make a selection:
To... ...select...
set an action for critical intrusions that Permit or Deny from the Action drop-list
could seriously damage your computer, under High Priority Intrusions. We
recommend setting the action to Deny.
set an action for medium intrusions like Permit or Deny from the Action drop-list
blocked services or connections, under Medium Priority Intrusions. We
recommend setting the action to Deny
set an action for low-level intrusions like Permit or Deny from the Action drop-list
errors, invalid formats, etc., under Low Priority Intrusions. We
recommend setting the action to permit. You
do not want to block necessary services.
record high, medium, and low priorities to the Log to NIPS log check box under the
the NIPS log, High, Medium, and Low priority Intrusion
sections.
record the results of port scans to the the Log to NIPS log check box under the
NIPS log, Port scan section. Port Scans are attacks
that detect open ports on a particular
computer. Attack to open ports cannot be
blocked, they can only be detected. Closed
ports are blocked automatically.
5 Click Details.... The IPS details dialog box opens. It lists the possible intrusions. Click Close
to return to the Intrusion Prevention System Settings dialog box.
Figure 9-3 Intrusions - Details
The IPS Details dialog box lists describes the type of attack and where you can find more
information.
6 Click OK to save the parameters and return to the Main tab.
9-4
Host Host Intrusion Prevention System (HIPS) targets applications or viruses trying to harm your
computer. Disabling harmful applications helps protect you from security leaks in applications
Intrusion and running on the server.
Prevention
Buffer Overflow
System
A buffer is an area on your computer reserved for temporarily storing information while it is waiting
(HIPS) to be transferred between locations (either on your computer or between your computer and
another device).
Buffer Overflow
Buffer overflow is when a process attempts to store more data in a buffer than there is memory
allocated for it. The extra data overwrites adjacent memory locations. Buffer overflows can cause
processes to crash or produce incorrect results. They can be triggered by applications or viruses
designed to execute malicious code or to make the program operate in an unintended way.
Code Injection
Code injection is a technique used to insert malicious code into a running computer process. This
can be done either locally or remotely through the web. Locally means that an application writes
malicious code into another application's address space; when run, it appears as if the host
application is responsible. The malicious code is executed using a trustworthy process.
HIPS configuration
HIPS parameters enable you to limit and control the size of buffers and prevent code injection.
To enable HIPS and set HIPS parameters
2 Select the Enable Host Intrusion Prevention System (HIPS) check box.
3 Click Advanced. The Host Intrusion Prevention System - Advanced Settings dialog box
opens.
Figure 9-4 Intrusions – Host Intrusion Prevention System - Advanced Settings
9-5
4 Make a selection under Buffer overflow:
To... ...select the...
a disable codes from executing in case of Block buffer overflow code execution
buffer overflow, check box.
log code executions attempted during Log attempts to HIPS log check box.
buffer overflow to the HIPS log,
disable alert windows that would notify Don’t show any alerts for this event type
you if a code attempts to execute during check box.
buffer overflow,
5 To specify an executable to which a buffer overflow alert will not apply, click Exceptions....
The Buffer Overflow Exceptions dialog box opens. See to add an exception to buffer
overflow parameters, page 9-7.
6 Make a selection under Code injection:
block malicious code form being injected Block executable code injection check
into running processes, box.
log code injection attempts to the HIPS Log attempts to HIPS log check box.
log,
disable alert windows that would notify Don’t show any alerts for this event type
you if a code attempts inject itself into a check box.
running process,
7 To specify an executable to which a code injection alert will not apply, click Exceptions.... The
Code Injection Exceptions dialog box opens. See to add an exception to code injection
Code injection technology is used by various legitimate applications — these applications will
not function correctly. Sunbelt Kerio Personal Firewall allows to define exceptions, i.e. list of
applications which can use this technology. Exception for an application can be defined in the
Code injection exceptions dialog (opened by the Exceptions option) where a relevant
executable file can be browsed.
8 Click OK to save the parameters and return to the Main tab.
9-6
To add an exception to buffer overflow parameters

1 Open the Host Intrusion Prevention System - Advanced Settings dialog box; then click
Exceptions... under the Buffer overflow section. The Buffer Overflow Exceptions dialog box
opens.
Figure 9-5 Intrusions - Buffer Overflow Exceptions
2 Make a selection:
To... ...click...
edit an existing item, Edit... after selecting an item from the list.
The Edit Buffer Overflow Exception dialog
box opens. Click Browse... to search for
then select an item; then click OK.
remove an existing item, Remove. The item is removed from the list.
add a new item, Add.... The Edit Buffer Overflow

Exception dialog box opens. Click
Browse... to search for then select an item;
then click OK.
3 Click OK. You return to the Host Intrusion Prevention System - Advanced Settings dialog
box.
9-7
To add an exception to code injection parameters

1 Open the Host Intrusion Prevention System - Advanced Settings dialog box; then click
Exceptions... under the Code injection section. The Code Injection Exceptions dialog box
opens.
Figure 9-6 Intrusions - Code Injection Exceptions
2 Make a selection:
To... ...click...
edit an existing item, Edit... after selecting an item from the list.
The Edit Code Injection Exception dialog
box opens. Click Browse... to search for
then select an item; then click OK.
remove an existing item, Remove. The item is removed from the list.
add a new item, Add.... The Edit Code Injection Exception

dialog box opens. Click Browse... to search
for then select an item; then click OK.
3 Click OK. You return to the Host Intrusion Prevention System - Advanced Settings dialog
box.
9-8
Application Sunbelt Kerio Personal Firewall controls all applications used in the operating system, regardless
of whether or not they use network communication. This control enables it to immediately detect
Behavior when an application is infected by a new virus or attacked by malware. This differs from anti-virus
Blocking (AV) software in that AV software usually takes some time to detect a virus; then, it must find an
appropriate virus database.
Application behavior Blocking Configuration
Use Application Behavior Blocking to set behavior blocking parameters that enable you to control
applications on your computer.
To enable application behavior blocking an set blocking parameters
2 Select the Enable Application Behavior Blocking check box.
3 Click Advanced. The Application Behavior Blocking dialog box opens.
Figure 9-1 Behavior Blocking - Settings Tab
Rules in the Main tab define how the firewall will behave in the following situations:
• When application is about to start – the action is taken at the time the application launches.
• When application has been modified – the action is taken at the time an application’s
executable file is modified. Each time an application is started and exited, Sunbelt Kerio
Personal Firewall creates a snap shot of the application parameters. The next time it starts
the application, it creates a new snap shot and compares it to the previous one.
• When application is about to launch another application – the action is taken when another
application is started by a application that is already running.
One of the following options can be set for each of the situations
• automatically permit the action — Sunbelt Kerio Personal Firewall does not block application
startup (it accepts change of the executable file)
• use existing behavior blocking rules or ask me — a behavior blocking rule for a particular
application will be used (if it exists) or user will be asked
9-9
4 Click the Applications tab to view and edit rules for startup and change of particular
applications.
Figure 9-2 Behavior Blocking - Application Tab
These rules are created when your respond to alerts. After permitting or denying a
communication alert, a rule for that application is added to this list. You cannot create rules on
this tab, only edit or remove them.
5 Make a selection:
To... ...select...
edit an application rule, a rule from the list; then, click Edit. The
Behavior Block for [name of app] dialog
box opens. See procedure below.
remove an application from the list, a rule from the lit; then, click Remove.
To edit an application rule

1 Select an application from the list.
2 Click Edit. The Behavior Block for [name of app] dialog box opens.
Figure 9-3 Intrusions - Behavior Blocking: Edit Application Rule
9-10
3 Make a selection:
To... ...select...
set the behavior of the application when it Permit, Ask user, or Deny from the When
starts, this application is starting drop-list.
set the behavior of the application if it Permit, Ask user, or Deny from the When
starts after being modified, starting modified application drop-list.
set the behavior for the application of it Permit, Ask user, or Deny from the When
starts another application, this application is launching another
drop-list.
record communications to the behavior the Log to Behavior log check box.
log,
make sure the user see an application the Show alert to user check box.
alert,
4 Click OK. You return to the Application Behavior Blocking dialog box.
If you want to make quick changes to the actions for an application, there are two other ways to
available to make those changes:
• Click an action under the Modifying or Launching others headings; then, toggle through the
permit, deny and ask options.
• Right-click an action; then, make a selection from the context menu
Figure 9-4 Behavior Blocking — application rules — action selection
9-11
Web Content Filtering
Use Web Content Flittering to block ads, set privacy parameters, and establish which web sites
meets exceptions to the blocking rules. This chapter covers the following topics:
Section Page
Ad Blocking, Privacy, and Site Exception 10-2

parameters.
Site Exceptions 10-5
10-1
Ad Blocking, Use the Ad Blocking tab to set the parameters need to filter advertisements, pop-ups, and web
content.
Privacy and
Site To configure ad blocking, privacy, and site exception parameters
Exception 1 Click Web. The Ad Blocking tab is already selected.
Parameters
Figure 10-1 Web - Ad blocking
2 Select the Enable web filtering check box.

3 Make a selection:
enable web filtering Enable web filtering check box.
block advertisements according to defined Block advertisements check box under

rules, the Advertisements section; then, click
Set....See To block ads by URL, page 10-4.
block pop-ups and pop-under windows, Block pop-up and pop-under windows
check box under the Popups section. A
pop-under window is one that opens under
the active browser window.
temporarily override the pop-up and pop- Temporarily override by pressing down
under blocking using the Ctrl or F12 key, the [key name] Key check box under the
Popups section. Select the Ctrl or F12 from
the drop-list.
block JavaScripts, Block JavaScripts check box under the

Web content section.
block visual basic scrips, Block VBScripts check box under the Web
content section.
block ActiveX, Block ActiveX check box under the Web

content section.
10-2
Warning: The F12 key may cause a conflict with the Microsoft debugger. If
you use the Microsoft Visual Studio, we recommend using the Ctrl key.
Note: The java and VB script options might cause problems displaying of
some pages. If so, define special rules for such page in the Exception Sites
tab, or disable the Block pop-up and pop-under windows option, and use
another method to filter ads (i.e. the Block advertisements option).
4 Click the Privacy tab.

5 Make a selection:
filter cookies from third-party servers, Filter foreign cookies check box under
Cookies.
filter cookies that send information each Filter persistent cookies check box under
time a web site is visited, Cookies.
temporary cookies that are only used Filter session cookies check box under
when a user opens a particular page, Cookies.
block the URL address of the page from Deny servers to trace web-browsing
which the user opened the current page check box under Referer.
so that your browsing habits cannot be
easily monitored,
block your private information form being Block private information check box under
sent through forms on web pages, Private Information; then, click Set.... The
Blocked private information dialog box
opens.
6 Click the Site exceptions tab.

7 To add a web server for which special filter rules will be defined, click Add.... See To add a
site exception, page 10-5.
8 Make a selection:
To... ...select...
edit a web server for which special filter a web server from the list; then, click Edit.
rules will be defined,
remove a web server, a web server from the list; then, click
Remove.
9 Click OK to save the information and close the Sunbelt Kerio Personal Firewall window, or
click Apply to save the information and keep the window open.
10-3
To block ads by URL

1 Click Web; then, Set... on the Ad Blocking tab. The Advertisement blocking by URL dialog
box opens.
Figure 10-2 Web - Advertisement Blocking by URL
2 To add a server to the list, click Add.... See To add a web server to the advertisement blocking
list, below.
3 Make a selection:
To... ...select...
edit a web server, a web server from the list; then, click Edit.
remove a web server, a web server from the list; then, click
Remove.
4 Click OK. You return the Ad Blocking tab.

To add a web server to the advertisement blocking list
1 Click Web; then Set on the Ad Blocking tab. The Advertisement blocking by URL dialog
box opens.
2 Click Add.... The Advertisement filter editing dialog box opens.
3 Type the name of the web server in the WWW server field.
4 If you want to block a path to a specific object on the server, type the path in the Path on
server field.
5 Click OK.
10-4
Site Exceptions for individual Web servers are helpful especially when the general content filter rules
cause certain Web pages or some of their items to not function properly (i.e. new windows cannot
Exceptions be opened, it is not possible to login through an email address, etc.). Sometimes they are
completely blocked.
Before you define a rule exception for a server, consider carefully whether the server is trustworthy
or not, and the types of objects (scripts, cookies, private data) that are required for smooth
functionality. The Exception tab includes one predefined rule. This rule allows automatic Microsoft
updates and allows updates from windowsupdate.microsoft.com.
To add a site exception
1 Click Web; then the Site exceptions tab.
2 Click Add.... The Edit exception site dialog box opens.
Figure 10-3 Web - Add/Edit Site Exception Rule
3 Type the URL of the server in the http:// field.

4 To add blocking and privacy information specific to this site instead of using the general
parameters set on the Ad Blocking and Privacy tabs in the main window, click the Blocking
and Privacy tabs; then set the parameters. See To add blocking privacy, and site exception
10-5
Logs & Alerts
Logs store the history of module: Network, System, Intrusions and Web. The other logs (Error,
Warning and Debug) store information about Sunbelt Kerio Personal Firewall processes. This
information can help the Sunbelt technical support team to solve possible problems with the
firewall. This chapter covers the following topics:
Section Page
Viewing Logs and Alerts 11-2
Context Menu 11-3
Log Options 11-4
Network Log 11-5
NIPS Log 11-6
HIPS Log 11-7
Behavior Log 11-8
Web Log 11-9
Debug, Error, and Warning Logs 11-10
11-1
Viewing Logs Log files are stored in the logs in a subdirectory where Sunbelt Kerio Personal Firewall is installed
(typically C:\Program Files\Sunbelt\Personal Firewall 4\logs). The file has the .log extension (i.e.
and Alerts network.log). An index file is included in each log. This file has the .idx extension (i.e.
network.log.idx).
To view module logs and set logging parameters
1 Click Logs & Alerts. The Logs tab opens.
Figure 11-1 Logs & Alerts - Logs Tab
2 Click a module tab at the bottom to view information specific to that module.
3 To re-order the log items in a particular list, click a column heading.
For technical reasons (data size), complete log files are not downloaded to the disc. Only the part
that will be viewed is downloaded. Therefore, the following difficulties may occur:
• Logs display slowly.
• When re-ordering the columns only the part of the log that is being viewed is displayed. The
items re-ordered again to view another part of the log.
Note: The Error, Warning and Debug logs are not available from the Sunbelt Kerio
Personal Firewall user interface. They can only be viewed only as files.
11-2
Context Set basic parameters for the Logs & Alerts section using the context menu.
Menu To set basic parameters using the context menu
1 Click Logs & Alerts. The Log tab opens.
2 Right-click inside the tab to open a context menu providing options for a particular log:
Figure 11-2 Logs & Alerts - The Log Context Menu
3 Make a selection:
To... ...select...
remove all data from the log file, Clear log.
determine how the application names are Displayed application name; then select one
listed, of the following from the sub-menu:
• Full path – full path to the application's
executable file
• File name – name of the application's
executable
• Description – description of the
application (if it is not available, name of
the executable without the extension is
displayed)
• Show icons – display the application or
system icon for an application.
list the computer by name instead of IP Resolve address. If a name is not found, the
address, IP address will be listed.
list the service name instead of port Resolve port.

numbers,
list the protocol names instead of the Resolve protocol.

protocol numbers,
Note: Some logs do not provide all of the items mentioned above, i.e. network
communication is not displayed for the System log. Therefore Resolve address,
Resolve port and Resolve protocol functions are not available.
The Displayed application name and Resolve address/port/protocol options are
applied globally. Their settings influences all logs, the Overview>Connections
section, Connection alert and Starting/Replacing application dialogs, and the Alert
window.
11-3
Log Options Use the Settings tab to set general log parameters and options.
Figure 11-3 Logs & Alerts - Settings
To set log and alert parameters

1 Click Logs & Alerts; then the Settings tab.
2 Type the maximum size (in kilobytes) for the log file in the Maximum log file size field. If the
size is exceeded, the file is removed and a new log is started.
3 To log files to the syslog server, select the Log to syslog check box; then do the following:
• Type the Syslog server IP address in the Syslog server field.
• Type the Syslog port number in the Syslog port field.
• Click Advanced... to open the Advanced syslog settings dialog box and select the items
that will be logged to the syslog.
Figure 11-4 Logs & Alerts Advanced Syslog Settings
4 Click OK to save the settings and close the Sunbelt Kerio Personal Firewall window, or click
Apply to save the settings and keep the window open.
11-4
Network Log The Network tab lists information on network traffic that meets an application or packet filter rule.
Traffic is not logged unless the Log communication to network log option is enabled. The Network
log provides the following information:
Figure 11-5 Logs & Alerts - Network log
• Line — line where the item can be found in the log.

• Count — number of time the item is recorded in the log. If one record is repeated in sequence,
it is logged once and the real count is expressed by a number).
• Date — date and time the event was logged.
• Description — description of a particular packet filter rule.
• Application — name of a local application participating in the particular network
communication.
Note: Both a description the applications and the full paths to their executable
files are saved into the log file. Therefore, you can switch between the two
items and select which one is displayed.
• Direction — direction of the connection

• Local point — local IP address (name of the computer)
• Remote point — IP address (name) of the remote computer
• Protocol — used communication protocol (TCP, UDP, etc.)
• Action — action which was taken:
• permitted — the communication was permitted
• denied — the communication was denied
• asked>permitted — user was asked through the Connection alert dialog and the
communication was permitted
• asked>denied — user was asked through the Connection alert dialog and the
communication was denied
11-5
NIPS Log The NIPS tab lists information about detected network intrusions. The NIPS log lists the following
information:
Figure 11-6 Logs & Alerts - NIPS log

• Date — date and time the event was logged
• Description — name (description) of detected intrusion
• Direction — direction of the intrusion (intrusions might be also initiated from local computers)
• Source of attack — IP address (or DNS name) of the remote host from which the attack came,
if identifiable (attacks can be sent from false IP addresses).
• Attack class — the class the attack belongs to
• Priority — priority group to which the attack is sorted by Sunbelt Kerio Personal Firewall
• Action — action performed by Sunbelt Kerio Personal Firewall when the attack was detected
(permitted — attack permitted, denied — attack denied)
11-6
HIPS Log The HIPS tab lists information about detected attacks to applications. Blocked attacks are
highlighted in red.
Figure 11-7 Logs & Alerts - HIPS log

• Action — actions taken by Sunbelt Kerio Personal Firewall in response to the attack (permitted
or denied)
• Attack class — name of the detected attack
11-7
Behavior Log The Behavior tab lists information about running applications that meet the corresponding rules in
Application Behavior Blocking in the Intrusions section. The Behavior log provides the following
information:
Figure 11-8 The Logs section — The Behavior log

• Operation — operation type:
• starting — the application is starting
• starting modified — executable file of the application has been changed
• launching other — the application is launching another application
• Application — application name (with respect to the Displayed application name parameter)
• Subject — this item represents name of an application started by the original application (with
respect to the Displayed application name parameter)
• Action — action which was taken:
• permitted — running the application has been permitted
• denied — running the application has been denied
• asked>permitted — user was asked through the Starting/Replacing application alert,
and starting the application was permitted
• asked>denied — user was asked through the Starting/Replacing/Launching other appli-
cation dialog and starting the application was denied
11-8
Web Log The Web tab lists information about objects blocked by the Web content filter. This log is not
configurable. The Web log provides the following information:
Figure 11-9 The Logs section — The Web log

• Method — method used by the HTTP protocol (GET or POST)
• URL — URL address of the page to which the method is applied
• Subject — type of blocked item (referer, cookie, blockPopups)
• Value — value of this item (content of the Referer: item, information in cookie or rule which
was used to block the ad)
• Action — type of action taken (Removed — the item was removed from the Web page,
Blocked — the item was blocked by ad rules)
Information provided within the Value item depends on the type of blocked object:
• Advertisement — the Value column lists information on the rule that was applied
• the Referer item — the Value column lists URL address of the page to which the item refers
• Script — the Value column lists the filtered object type (JavaScript, VBScript or ActiveX).
• blockPopups — the ON expression in the Value column informs users that pop-up and pop-
under window blocking is enabled for the particular page.
11-9
Debug, Error, The Error, Warning and Debug logs are not available from the Sunbelt Kerio Personal Firewall's
user interface — they can only be opened as files in the Logs sub-directory of the directory where
Warning Sunbelt Kerio Personal Firewall is installed (typically C:\Program Files\Sunbelt\Personal Firewall
Logs 4\logs). the file itself has the .log extension (e.g. error.log).
Debug Log
The Debug log lists detailed information on all processes of Sunbelt Kerio Personal Firewall.
Error Log
The Error log list errors that seriously affect Sunbelt Kerio Personal Firewall functionality (i.e. the
Firewall Engine cannot start).
Warning Log
The Warning log lists less important errors (i.e. an error detected when a new version verification
is performed, etc.).
11-10
Open-source libraries
This product includes the following open-source libraries:

libiconv
Libiconv converts from one character encoding to another through Unicode conversion.
Copyright ©1999-2003 Free Software Foundation, Inc.
Author: Bruno Haible
OpenSSL
Toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
zlib
Zlib is a general purpose data compression library.
Copyright ©1995-2003 Jean-Loup Gailly and Mark Adler.
12-1
Glossary
Application protocol
Application protocols are transmitted in packets of TCP or UDP protocol. They are used for
transmission of user (application) data. In addition to standard application protocols which are
available (i.e. SMTP, POP3, HTTP, FTP, etc.), application programmers may use a custom (non-
standard) method for communication.
Buffer
A region of memory reserved for use as an intermediate repository in which data is temporarily
held while waiting to be transferred between two locations or devices. For instance, a buffer is
used while transferring data from an application, such as a word processor, to an input/output
device, such as a printer.
Cookie
Information in text format that the server stores at a client (Web browser). It is used for later
identification of a user when the same server/site is opened again. Cookies can be misused for
monitoring which sites have been visited by a user, or they can be used for visit counter.
DHCP
Acronym for Dynamic Host Configuration Protocol. A TCP/IP protocol that enables a network
connected to the Internet to assign a temporary IP address to a host automatically when the host
connects to the network. See also IP address, TCP/IP. Compare dynamic SLIP.
DNS
Acronym for Domain Name System. The hierarchical system by which hosts on the Internet have
both domain name addresses (such as bluestem.prairienet.org) and IP addresses (such as
192.17.3.4). The domain name address is used by human users and is automatically translated
into the numerical IP address, which is used by the packet-routing software. DNS names consist of
a top-level domain (such as .com, .org, and .net), a second-level domain (the site name of a
business, an organization, or an individual), and possibly one or more sub-domains (servers within
a second-level domain). See also domain name address, IP address. 2. Acronym for Domain
Name Service. The Internet utility that implements the Domain Name System. DNS servers, also
called name servers, maintain databases containing the addresses and are accessed
transparently to the user. See also Domain Name System (definition 1), DNS server.
Firewall
A tool (usually a software product) for protection from intrusions and from data outflow. Two basic
firewall types are available:
• network firewall — protects computers of a network. Usually, it is used as a gateway (router)
through which the particular network is connected to the Internet.
13-1
• personal firewall — protects one computer (user's workstation). Unlike network firewalls, it can
match network communication with a particular application, change its behavior accordingly to
interaction with users, etc.
Note: In this guide the word firewall represents Sunbelt Kerio Personal Firewall.
IDS
Acronym for Intrusion Detection System. A type of security management system for computers
and networks that gathers and analyzes information from various areas within a computer or a
network to identify possible security breaches, both inside and outside the organization. An IDS
can detect a wide range of hostile attack signatures, generate alarms, and, in some cases, cause
routers to terminate communications from hostile sources.
ICMP
Acronym for Internet Control Message Protocol. A protocol used for transmission of control
messages. Several types of such messages are available, such as a report that the destination is
not available, redirection request or response request (used in the PING command).
IGMP
Acronym for Internet Group Membership Protocol. A protocol used by IP hosts to report their host
group memberships to any immediately neighboring multicast routers.
IP
Acronym for Internet Protocol. A a protocol transmitting all Internet protocols in its data part. The
header of this protocol provides essential routing information, such as source and destination IP
address (which computer sent the message and to which computer the message should be
delivered).
Port
The most essential information in TCP and UDP packet is the source and destination port. The IP
address identifies a computer in the Internet, whereas a port identifies an application running on
the computer. Ports 1-1023 are reserved for standard services and the operating system, whereas
ports 1024-65535 can be used by any application. In a typical client to server connection, usually
the destination port is known (connection is established for this port or UDP datagram is sent to it).
The source port is then assigned by the operating system automatically.
PPTP
Acronym for Point-to-Point Tunneling Protocol. An extension of the Point-to-Point Protocol used
for communications on the Internet. PPTP was developed by Microsoft to support virtual private
networks (VPNs), which allow individuals and organizations to use the Internet as a secure means
of communication. PPTP supports encapsulation of encrypted packets in secure wrappers that can
be transmitted over a TCP/IP connection. See also virtual network.
TCP
Acronym for Transmission Control Protocol. Used for reliable data transmission through so called
virtual channel (connection). It is used as a transmission protocol for most application protocols,
such as SMTP, POP3, HTTP, FTP, Telnet, etc.
TCP/IP
TCP/IP is a general term for protocols used in communication over the Internet. Data is divided
into data items called packets within individual protocols. Each packet consists of a header and a
data part. The header includes routing information (i.e. source and destination address) and the
data part contains transmitted data.
The Internet protocol stack is divided into several levels. Packets of lower protocols encapsulate
parts of higher-level protocols in their data parts (i.e. packets of TCP protocol are transmitted in IP
packets).
13-2
UDP
Acronym for User Datagram Protocol. A protocol without a connection. This implies that it does not
create any connection and data is transmitted in individual messages (so called datagrams). UDP
does not warrant reliable data delivery (datagrams can be lost during transmission). However,
unlike transmission through TCP protocol, it provides faster data transmission (it is not necessary
to establish connections or provide reliability control, confirmation is not demanded, etc.). UDP
protocol is used especially for transmission of DNS queries, audio files, video files, or other types
of streaming media which promote speed over reliability.
VPN
Acronym for Virtual Private Network. Nodes on a public network such as the Internet that
communicate among themselves using encryption technology so that their messages are as safe
from being intercepted and understood by unauthorized users as if the nodes were connected by
private lines. 2. A WAN (wide area network) formed of permanent virtual circuits (PVCs) on
another network, especially a network using technologies such as ATM or frame relay.
13-3
Index
A Firewall Configuration 6-1

Advertisement Blocking List interface 6-2
add web server to 10-4 set preferences 6-9
Alerts working with network connections 6-5
application 5-6 working with statistics 6-7
connection 5-3 Firewall Preferences 6-9
for connections with rules 5-10 back-up and restore config files 6-11
host intrusion 5-8 configuration 6-11
Application Alert 5-6 configure 6-9
Application Behavior Blocking 9-9 password protection 6-11
Application Rules preferred language 6-14
additional options 7-6 remote administration 6-13
defining 7-4 set password 6-12
settings 7-5 Functions and Features 1-4
AVG Component Rules 8-6 H
B HIPS Log 11-7
Behavior Log 11-8 Host Intrusion Alert 5-8
Block ads by URL 10-4 HostIntrusion and Prevention System 9-5
Boot-time Protection 7-24 I
C Installation
Components 1-2 before you install 2-2
Components and Control Features 4-1 initial settings 2-8
Components 4-2 installation 2-2
system tray icons 4-3 uninstall 2-9
Configure upgrading current version 2-11
ad blocking parameters 10-2 upgrading to new version 2-8
privacy parameters 10-2 Interface 6-2
site exception parameters 10-2 action buttons 6-4
Conflicting Software 1-5 modules 6-2
Connection Alert 5-3 network traffic graph 6-3
Connection Alerts 5-3 Internal Firewall Rules 8-1
Connections with Rules 5-10 AVG component rules 8-6
Context Menu network traffic rules
set basic parameters 11-3 Network Traffic Rules 8-2
D sytem security rules 8-4
Debug Log 11-10 Intrusion Detection 9-1
E Application Behavior Blocking 9-9
Error Log 11-10 HIPS 9-5
intrusions 9-2
F
NIPS 9-3
Firewall Behavior and User Interaction 5-1
application alert 5-6
connection alert 5-3
connection alerts 5-3
connections with rules 5-10
host intrustion alert 5-8
Overview 5-2
1-1
L parameters
Log ad blocking 10-2
behavior 11-8 privacy 10-2
debug 11-10 site exception 10-2
error 11-10 Predefined Rules
HIPS 11-7 manage 7-20
network 11-5 Purchasing and Product Registration 3-1
NIPS 11-6 free vs full version 3-2
warning 11-10 purchasing SKPF 3-2
web 11-9 Registration 3-6
Log Options R
set 11-4 References 1-5
Logging Paramters S
set 11-2 Site Exceptions
Logs and Alerts 11-1 add 10-5
viewing 11-2 Statistics 6-7
M viewing statistics for specific time frame 6-8
Module Logs Styles 1-5
view 11-2 Styles and references 1-5
N System Requirements 1-4
Network Connections 6-5 System Security Rules 8-4
manage options 6-6 System Tray Icons 4-3
Network Intrusion Prevention System 9-3 U
Network Log 11-5 Uninstalling SKPF 2-9
Network Security 7-1 Upgrading 2-8, 2-11
advanced settings 7-23 V
application rules 7-3 Viewing Logs and Alerts 11-2
boot-time protection 7-24 W
detecting new network interfaces 7-25 Warning Log 11-10
how rules are applied 7-2 Web Content Filtering 10-1
packet filter rules 7-7 ad blocking parameters 10-2
Predefined Rules 7-20 privacy parameters 10-2
rules 7-2 site exception parameters 10-2
trusted area 7-22 site exceptions 10-5
verifying dialed numbers 7-26 Web Log 11-9
what is it? 7-2 Web Server
NIPS Log 11-6 add to advertisement blocking list 10-4
O
Overview 1-2
P
Packet Filter Rules
adding a rule 7-10
inside 7-9
IP groups 7-18
manually define 7-7
proper functionality 7-9
protocol parameters 7-15
1-2

Sunbelt Kerio Personal Firewall User Guide

Uploaded by

Copyright:

Available Formats

Sunbelt Kerio Personal Firewall User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sunbelt Kerio Personal Firewall User Guide

Uploaded by

Copyright:

Available Formats

Use of this software is subject to the End User License Agreement found in this User Guide (the License

Introduction .......................................................................................... 1-1

AVG Component Rules ..................................................................................................8-6

Functions and Features 1-4

System Requirements 1-4

Conflicting Software 1-5

Styles and References 1-5

Note: Sunbelt Kerio Personal Firewall 4 controls all running applications,

Network Intrusion Detection and Prevention (NIPS)

Warning: Sunbelt Kerio Personal Firewall 4 cannot be used on Windows NT

Note: Sunbelt Kerio Personal Firewall can be combined with a router or a

ALL CAPS indicate a keyboard button (Press ENTER).

caution users about a specific action.

warn users of the consequences related to specific actions or about specific

alert users to a notation or tip relevant to the current topic.

Before You Install 2-2

Initial Settings 2-8

Upgrading to a New Version 2-8

Uninstalling the Personal Firewall 2-9

Updating the Current Version 2-11

Figure 2-1 Installation Wizard: Welcome

Figure 2-2 Installation Wizard: What’s New

3 Click Next. The License Agreement window opens.

Figure 2-3 Installation Wizard: License Agreement

accept the license agreement, I accept the terms in the license

Figure 2-4 Installation Wizard: Installation Folder

Figure 2-5 Installation Wizard: Initial Firewall Settings

6 Make a selection regarding the initial settings for the firewall:

7 Next. The Ready to Install the Program window opens.

Figure 2-6 Installation Wizard: Ready to Install the Program

Figure 2-7 Installation Wizard: Installshield Wizard Complete

9 Click Finish. A dialog box opens.

Figure 2-8 Installation Wizard: Restart Your Computer.

Figure 2-9 Control Panel

Figure 2-10 Add or remove Programs

Figure 2-11 - Remove Sunbelt Kerio Personal Firewall

Note: If the latest version of Sunbelt Kerio Personal Firewall is installed, a

3 Restart the computer.

Figure 2-12 Update wizard of the Sunbelt Kerio Personal Firewall

Purchasing and Product Registration

Free Version vs. Full Version 3-2

Purchasing Sunbelt Kerio Personal 3-2

Product Registration 3-6

Figure 3-1 Sunbelt Kerio Personal Firewall Web Page

2 Click . The Buy Sunbelt Kerio Personal Firewall page opens.

Figure 3-2 Product Selection Page

Figure 3-3 OnLineShop - Step 1

Figure 3-4 OnLineShop - Step 2

Figure 3-5 Order Confirmation Page

Figure 3-6 Registration wizard — License Number

Figure 3-7 Registration wizard — Contact information

Figure 3-8 Registration wizard — Additional Subscriptions

add another subscription, Add; type the number in the Subscription

continue without adding another Next.

register another subscription number, Add Subscription. Go to step 4.

modify contact information, Modify data. Go to step 3 on page 3-6.

Firewall Components and Basic Control Features

System Tray Icons 4-3

Components Sunbelt Kerio Personal Firewall consists of eight key components:

Figure 4-1 Sunbelt Kerio Personal Firewall icon on the Systray