[tinkerman]

ISTA+ / ISTA-P can be installed with an installer or done manually. But an installer adds a bunch of Firewall Rules.

For installations that do not require communication with BMW, are any of these Firewall Rules necessary for communication with a diagnostic interface(i.e. ICOM, ENET, K+DCAN etc.) or other critical function, or are all of these Firewall Rules in essence not necessary?

[jaramillo]

My personal recomendation is to disable firewall in all profiles. just to avoid an unnexpected behavior

[Node]

You need firewall rules if you want to flash the car with ICOM. Probably same with ENET. Less so for
KDCAN.

P.S. I never disable my firewall because why? Proper firewall rules take care of everything.

[tinkerman]

My personal recomendation is to disable firewall in all profiles. just to avoid an unnexpected behavior

Thanks. If I can find out which are required for diagnostic interface communication and which are purely for BMW's data access, I'd like to disable the unnecessary rules.

You need firewall rules if you want to flash the car with ICOM. Probably same with ENET. Less so for
KDCAN.

P.S. I never disable my firewall because why? Proper firewall rules take care of everything.

Can you specify which Firewall Rules are definitely required for ICOM?

Thanks...

[rocdeng]

When ISTA related programs request access network, give them permissions. Like ISTAGUI.exe, IstaServiceHost.exe, edibasxxx and etc. If the permission request window not popup, better disable the firewall temperary to avoid problems.

[tinkerman]

When ISTA related programs request access network, give them permissions. Like ISTAGUI.exe, IstaServiceHost.exe, edibasxxx and etc. If the permission request window not popup, better disable the firewall temperary to avoid problems.

During initial boot of  ISTA-P 3.72 (using the Loader), I got 2 pop-ups of "Windows Defender has blocked some features of ...":

- Taurus Administration
- Java™ Platform SE binary

Closed these pop-ups with the upper right "X" buttons, and in Firewall Rules(Inbound), the rules for these programs were "partially" disabled by Defender in Firewall settings of each rule:

General>Enabled
Action>Block the connection 

I later fully disabled them by changing these settings to:

General>Disabled("Enable" unchecked)
Action>Block the connection
Advanced tab>Edge traversal>Block edge traversal.

All other Firewall Rules set by the installer are "Enabled"(but I suspect that many of these can be disabled/blocked).

There are no issues booting ISTA-P (albeit not yet connected this installation to a car for testing).

Note: I prefer to NOT completely disable Firewall. I want to enable or block rules depending on their purpose*:
- If it's critical for proper communication with interfaces then enable
- if it's for BMW to send/receive data without relation to critical functionality of ISTA-P(or ISTA+) during actual operation, then block
* This way, if I get online for say Windows update, I can be assured that communication with BMW or other sources (that should NOT take place) is prevented.

I would not be connected to the internet during use of ISTA-P(or ISTA+), but still I'd like to disable/block rules that may use system resources in the background if left enabled.

Any insights regarding any of the Firewall Rules(listed below) installed by ISTA-P (and Java) installer would be appreciated...

Thanks...

P.S.
ISTA-P 3.72 related Installer(and Java) installed Firewall Rules:

* Partially blocked by Windows Defender during initial boot of ISTA-P 3.72
Java™ Platform SE binary (TCP)
Java™ Platform SE binary (UDP)

Taurus Administration (TCP)
Taurus Administration (UDP)

* Not blocked by Windows Defender
Istap.data.Client.Remoting.hessian  (TCP)
Istap.data.Client.Remoting.http  (TCP)
Istap.data.Client.Remoting.tcp  (TCP)
Istap.data.Client.Remoting.wddx  (TCP)
Istap.data.Client.ZEA  (TCP)
Istap.data.DataProcurement  (Any)
Istap.data.DataTransfer  (TCP)
Istap.data.FZI.RequestFile  (TCP)
Istap.data.Idmon.LEA  (TCP)
Istap.data.Isominstance  (Any)
Istap.data.Java  (Any)
Istap.data.Monitoring  (TCP)
Istap.data.Phytia.Broadcast  (TCP)
Istap.data.Phytia.Remoting  (TCP)
Istap.data.Server.Remoting.hessian  (TCP)
Istap.data.Server.Remoting.http  (TCP)
Istap.data.Server.Remoting.tcp  (TCP)
Istap.data.Server.Remoting.wddx  (TCP)
Istap.data.TaurusClient  (Any)
Istap.data.TaurusServer  (Any)
Istap.data.TaurusServices  (Any)
Istap.data.TDSServer  (Any)
Istap.data.TrayApplication  (Any)
Istap.data.Zfv.Remoting.http.soap  (TCP)
Istap.data.Zfv.Remoting.tcp  (TCP)

IVM.Native.SLP.TCP  (TCP)
IVM.Native.SLP.UDP  (UDP)

PSDZ.Logging  (TCP)
PSDZ.Remoting.hessian  (TCP)

Tric.BrokerlspiNext.Host.http  (TCP)
Tric.Ivm.Manager  (TCP)
Tric.RemotelcsBroker.Default.Host.http  (TCP)
Tric.RemotelcsBrokerReserve.Host.http  (TCP)

[tinkerman]

Disabling* all the ISTA-P 3.72 installer installed Firewall Rules apparently has no affect on opening ISTA-P 3.72.

* General Tab > Uncheck "Enable", Action > "Block the connection"
   Advanced Tab > Block edge traversal

If running actual sessions require enabling any rules, I'd appreciate related comments based on experiences.

Thanks...

[pupu144]

You do have very appropriate username, tinkerman

No one usually bothered with such things..

Usually there is a script inside setup that adds all necessary entries to firewall.
Also, it goes without saying, that you should Agree/Accept any pop-up messages after you launch an application of your choice for the first time (if it's not some shady .EXE).

[tinkerman]

If I made you 'crack up'(laugh)... well then you've made my day!

There was a time  when I NEVER bothered with ANY of this... that is until forums like this and all its crazy folk started creepin' up...

Just a habbit to shut down potential "back doors" I don't know who or what is buggerin' about, at least until I fully understand for example what "Taurus" and all them services er up to. For the time being, it seems to be there for online updating of the software, which is not relevant for most folks, so disabled it will remain. (I) Read the entire ISTA-P manual(well pretty much) and there is no mention of such things...(can you believe that sh*t?) not much on ICOM setup either... better get me the Administrator manual!

Realized that recently the ISTA-P or rather the Loader seems to not include the ICOM emulator function and I've been considering a genuine ICOM Next from the dealer for some time. Hence, the questioning of Firewall Rules as they apply (if at all) to interface communications etc.. (not cuz I want to surf the net while flashing ECUs!)

Cheers...

[bellphegorus]

To Info:
What Windows do you use? ISTA P has Problems on Windows 11, and BMW AOS Support say: WIn11 not supported They say Communication errors can ocur, by programming. So you need Win10 or older crazy...