Sygate personal firewall guide

This is intended for firewall newbies as well as to users having experience of other software firewalls but wanting to have a quick and easy start.

Installation:

1. First turn on XP:s own SP2 firewall or any other you have now before connecting to internet 
2. Download the installing file. Symantec pulled off the former Sygate download site, so finding Sygate free or pro firewall versions can be hard. This guide applies also to pro version. I recommend 5.5.2710 or earlier versions over XP security center recognized 5.6 one. You can at the the time this is written find it in this thread by red_jack:  SPF 5.5.2710 free.  Also this site has old versions that I think are safe. 
3. Save the file to HD.
4. Disconnect from the internet and remove all the other firewall installations. Not enough that your previous firewall is not running, it needs to be uninstalled. Turn off also XP SP2 firewall if running it. 
5. Install the SPF by executing the downloaded file and answering yes to all the questions. You should be logged in with a system administrator user account.
6. If you installed 5.5.2710 and are running Windows XP SP2, the Security Center should be notified that you are controlling your firewall, so it will not give unnecessary warnings about a missing firewall protection.

Configuration:

The Sygate firewall needs a little adjustments to protect your computer well!

From the bottom right on the desktop in systray you should see the SPF traffic/attack icon near the clock icon.
You can always access the ‘SPF quick menu’ by moving the mouse pointer over it and right clicking it.

1. Select from the SPF quick menu ’Applications…’.
2. Select from the applications list ’Generic Host Process … svchost.exe’.
3. Click the box on the left until it has ’Allow’ Access setting.
4. From the bottom left click ’Advanced’  and from the following window disable the server right, ’Act as Server’, unchecking it. Close the Application window by clicking 'OK' to accept the change.
5. From the Application list you can delete all the other programs showing there with the 'Remove' button to to not having unnecessary list items there that might never try to connect to internet.

Now you should be fairly safe to connect again to the internet.

When you start a program that connects to net, SPF will ask if it should be allowed or not. Answer ‘Yes’ now if a newbie to firewalls, but write down the program's name for a later configuration. The programs should be disabled afterwards to act as server the same way it was done above to ‘Generic Host .... svchost.exe’. Only instant messengers, some p2p software etc. need server right. Not browsers, email clients and other normal software. Nor in my experience any Windows processes. The only exception is when needing to synchronize the computer's clock. More about that later in this guide.

BY DEFAULT, SPF GIVES ALL THE ALLOWED APPLICATIONS  'SERVER ACCESS RIGHT', SO ABOVE PARAGRAPH WAS WRITTEN TO BE READ TOO  !

More about  rulemaking

Testing the firewall:

From the SPF main window, ‘Sygate Personal Firewall’, you can find a button ‘Security Test’. It opens web site where you can do the port scan tests ‘Quick Scan’ and ‘Stealth Scan’. If you are really testing your own internet connection IP as is a usual case, then the test results should show ‘BLOCKED’ status in all the incoming ports. Some ports maybe open, like port 5000, but about them later.

Warning:

It is recommended in the Sygate test site to also run those tests without a firewall, to see some open ports. Nowadays an XP computer gets very fast virus infected if not having updated it, so that suggestion should ignored.
Also the test ‘Trojan Scan’ gives false indications of existing Trojans if some ports are open, so leave it undone for now.

Seems that the site where that button leads is not working anymore.

Gibson's Shields Up! -test is very popular and I prefer it over Sygate’s. Check that the page shows your own IP number. If you are behind some NAT device or proxy server then this test should not be trusted. It is not then testing your firewall configuration.

Proceed -button and Common Ports -button from the new window.

All the ports should show a green ’Stealth’-status if the SPF is properly configured.
Check that the browser you are using has not been given ‘Act as Server’ right. 

Incoming port 5000 may be open. It can be closed/opened with the ’UnPlug n’ Pray’ utility.
Press ’Download Now’ -button and execute the program..

Firewall general settings:

1. SPF-right click menu, Options...
2. General-tab. You should have a checkmark on 'Automatically load Sygate Personal Firewall service at startup'.
3. Check Hide Notification messages. 
4. Network Neighborhood-tab
5. Select your internet connection Network Interface. If you have a normal home user’s computer with no other machines in your home network, uncheck the following ones: ’Allow to browse Network Neighborhood files and printers(s)’ and ’Allow others to share my files and printer(s)’. 
6. Security-tab
7. Make sure that these options are checked: ’Enable driver level protection’, ’NetBIOS Protection’ and ’Anti-Application Hijacking’.

Some fine tuning:

In case you have set your computer to go and check if any critical Windows updates are existing and automatically download them, you have to 'Allow' Generic Host Process ... svchost.exe to connect outbound to internet with the ‘Act as Client’ client right. Allowing it server right is a security risk I think, because it leaves some inbound ports open. That was disabled in the configuration part of this instruction.

In case you want to update the computers clock from a timeserver, a small hole must be made though for the server setting of Generic Host:

1. SPF-quick menu 
2. ’Advanced Rules…’. Add this advanced rule: 
3. Rule Summary:  This rule will allow incoming traffic from IP address(es) 207.46.130.100 on UDP remote port(s) 123 to UDP local port(s) 123.  This rule will be applied to all network interface cards.  The following applications will be affected in this rule: Generic Host Process for Win32 Services.

Look at the traffic log. SPF-quick menu, ‘Logs -> Traffic Log...’. There are shown all the internet connections, both allowed and blocked ones. These two applications generate much unnecessary traffic that can be stopped from most computer systems, 'ndisuio.sys' and 'ntoskrnl.exe'. Doing so makes also the computer a bit faster.

 Unless you have a wireless connection in your computer, the traffic from ndisuio.sys can be stopped by disabling the Windows service ’Wireless Zero Configuration’.  Instructions can be found from Google etc., but this is one link: http://www.ifelix.co.uk/tech/2000.html

 Ntoskrnl.exe traffic is related to NETBIOS and it can be stopped for the most part.

1. Start -> Control Panel -> Network Connections. 
2. Select the internet connection icon and with the right mouse click, ‘Properties’. 
3. ‘General’-tab. Uncheck ‘Client for Microsoft Networks’ and  ‘File and Print Sharing for Microsoft Networks’.

Traffic checking and other hints:

1. SPF-quick menu -> Sygate Personal Firewall
2. View/Connection Details
3. Running Applications box

From the box under ‘Running Applications’ you can look all the applications and the 'Local' ports that they are listening to the inbound connections. From those you can disable the server right, ‘Act as Server’, in case the above given firewall tests still show some open ports.

Learn to examine your Traffic Log, above. Sygate has excellent logging capabilities. 
You can sort the log by Time (default), Action, Direction, Application Name, etc.

Best security policy is to block as much as you can with a firewall. 
If something is not working you have the traffic log to check what is blocked and then has to be allowed. Also, traffic log does not really log traffic, it logs internet connections. Outgoing connection generates usually both incoming and outgoing traffic as you very well know having a browser as an example.

There is though an addon program that is faster and allows more options, better sorting and added filtering of what is shown or rather hidden:  http://www.geocities.jp/bruce_teller/sygate5/spflgvw_en.htm 

11. january, 2007
Jarmo Salonen

SAFE SURFING !

If you run such software, Proxomitron is one, you will loose outbound connection control from Sygate personal firewall to a various degree depending on the local proxy. I myself have only experience of avast! antivirus proxies, web browser shield and email/newsgroup client scanner. Those proxies only allow known browsers and email clients out that persons normally allow anyways. But you don't get asked by Sygate and the SPF blocking them also does not work. It is a many year known 'issue' of Sygate handling the loopback. As told in the forum, to fix this, a totally new rewrite of a firewall code would have been necessary.