Recent updates to this article

Date	Update
September 1, 2023	Minor formatting changes; rebranding from McAfee to Trellix.
June 23, 2022	Minor formatting changes; no content changes.

Third-party applications that ENS Firewall blocks:
If the ENS Firewall blocks a third-party application from functioning properly, contact the third-party application vendor support team. Request documentation about the specific network traffic that should be allowed through the ENS Firewall. The third-party vendor website might also contain documentation about the network traffic needed by the application. With the documented network traffic requirements, you can create firewall rules to allow the network traffic through the ENS Firewall for the third-party application to function properly.

Use the following steps to troubleshoot an application or network traffic when using ENS Firewall:

1. Enable debug logging for the ENS Firewall module
2. Enable the "Log all blocked traffic" and "Log all allowed traffic" firewall logging options
3. Test by enabling the ENS Firewall Adaptive mode feature
4. Troubleshooting steps if enabling the ENS Firewall Adaptive mode feature resolves the issue
5. Test by using an ALLOW ANY policy
6. Test by isolating what type of network traffic resolves the issue
7. Test by allowing unsupported protocols
8. Test by disabling the Global Threat Intelligence (GTI) Network Reputation functionality
9. Test by disabling the GTI "Block all untrusted executables" functionality
10. Test by disabling the "Allow only outgoing traffic until firewall services have started" feature
11. Test by disabling the core networking rules
12. Test by enabling the core networking rules
13. Verify the ENS Firewall and Windows Defender Firewall status values in Windows Security Center
14. Collect data using Minimum Escalation Requirements (MER), FWInfo, AMTrace tools, and network capture software

Enable debug logging for the ENS Firewall module

• For ePolicy Orchestrator (ePO) managed systems:
  1. Open the ePO console.
  2. Edit the Endpoint Security Common, Options policy.
  3. Click Show Advanced.
  4. Select Enable for Firewall under the Debug Logging section.
  5. Save the policy.
      
• For standalone systems that ePO doesn't manage:
  1. Open the ENS console from the Trellix Agent notification area icon, or by running the application \Program Files (x86)\McAfee\Endpoint Security\Endpoint Security Platform\MFEConsole.exe.
  2. Click the Firewall module or click the down arrow in the upper-right corner, and then click Settings.
     
     NOTE: You might need to first unlock the ENS console using Administrator Log On.
      
  3. Click the Common section.
  4. Click Show Advanced.
  5. Select Enable for Firewall under the Debug Logging section.
  6. Click Apply.

Back to top

Enable the "Log all blocked traffic" and "Log all allowed traffic" firewall logging options

1. Enable the Log all blocked traffic and Log all allowed traffic firewall logging options:
   • For ePO-managed systems:
     1. Open the ePO console.
     2. Edit the Endpoint Security Firewall, Options policy.
     3. Click Show Advanced.
     4. Select Log all blocked traffic and Log all allowed traffic under the Tuning Options section.
     5. For GTI-related activities, select Log matching traffic under the Trellix GTI Network Reputation section.
     6. Save the policy.
         
   • For standalone systems that ePO doesn't manage:
     1. Open the ENS console.
     2. Open the Firewall module settings.
     3. Select Log all blocked traffic and Log all allowed traffic under the Tuning Options section.
     4. For GTI-related activities, select Log matching traffic under the Trellix GTI Network Reputation section.
     5. Click Apply.
         
2. Reproduce the issue.
    
3. Review the FirewallEventMonitor.log file for details about the blocked and allowed network traffic. The FirewallEventMonitor.log file is located in the directory \ProgramData\McAfee\Endpoint Security\Logs\

Back to top

Test by enabling the ENS Firewall Adaptive mode feature
Be aware of the limitations of the ENS Firewall Adaptive mode feature. There are conditions where the ENS Firewall can't automatically create client rules. See the "FAQ - Adaptive mode" section of the relevant Endpoint Security Product Guide for details.

1. Edit the Endpoint Security Firewall, Options policy from the ePO console or ENS console.
2. Click Show Advanced.
3. Select Enable Adaptive mode (creates rules on the client automatically) under the Tuning Options section.
   
   NOTE: If the ENS client is ePO-managed, also enable the Retain existing user-added rules and Adaptive mode rules when this policy is enforced option. This option allows the ENS client to retain these client rules, and not delete the client rules, if a Trellix Agent policy enforcement occurs. It allows the client rules to be uploaded to the ePO server for policy management. The ENS Firewall Property Translator ePO server task processes the client rules, and converts them from individual client rules to ePO-manageable client rules in the Reporting, Firewall Client Rules menu. This task isn't the ENSFW Property Translator server task listed, but a hidden internal task that automatically runs every 15 minutes. Keep the unhidden ENSFW Property Translator server task always in a Disabled state.
    
4. Apply the modified policy to the client and retest the issue. If the issue is resolved, continue to the next step. If the issue isn't resolved, continue to the next section.
5. Open the ENS console and open the Firewall menu.
6. Scroll down to the Rules section and review the Adaptive firewall group.
7. Expand the Adaptive firewall group and review the client rules to determine why the new rules were created. Firewall client rules might be created for many reasons. Modify the existing rules as needed, or create firewall rules in the policy, if other firewall rules exist in the policy for that specific application or network traffic. If you believe that the rules were created in error, contact Technical Support for further investigation. See the "Related Information" section for contact details.

Troubleshooting steps if enabling the ENS Firewall Adaptive mode feature resolves the issue
Enabling the ENS Firewall Adaptive mode feature allows two troubleshooting steps.

1. Verify whether any Adaptive mode client rules are created for applicable network traffic. Open the ENS Firewall client menu, and then browse to the Rules section. Locate the Adaptive firewall group. Click the > sign and open the group and list the local client rules. If the group is grayed out and can't be opened, no client rules have been created locally on the system. If the ENS client is ePO-managed, these Adaptive mode client rules are sent to the ePO server for Firewall client rule management. Review the Firewall client rules under the Reporting, Firewall Client Rules menu.
2. ENS Firewall Adaptive mode also changes the default Block All Traffic rule at the bottom of the client policy. It changes this default to an "allow all" rule named Adaptive Rule. If no Adaptive client rules were created from the above step, review the FirewallEventMonitor.log file for log Matched Rule:  Adaptive Rule entries. These entries contain the network traffic that other firewall rules don't allow or block and that Adaptive mode doesn't learn. You must manually create firewall rules, locally on the client or via ePO policy, for this matching traffic. These rules help you to identify which network traffic resolves the issue. It's possible that more than one type of network traffic resolves a particular third-party application issue. For network traffic allowed via the firewall rule named Adaptive Rule, the executable Path is typically <BLANK>, which means the executable within the defined firewall rule must be <BLANK> too.
   
   Example:
   
   Time:     01/13/2020 11:30:38 AM
   Event:  Traffic
   IP Address:  10.10.10.1
   Description:  
   Path:  
   Message:      Allowed Incoming UDP  -  Source  10.10.10.1 :  (56711)   Destination  10.10.10.2 :  (49284)
   Matched Rule:  Adaptive Rule

Back to top

Test by using an ALLOW ANY policy
To implement an ALLOW ANY policy, you must modify the Endpoint Security Firewall, Options, and Rules policies with the settings described below.

1. Edit the Endpoint Security Firewall, Options policy as follows, using the ePO console or ENS console:
   1. Click Show Advanced.
   2. In the Firewall section, select Enable Firewall.
   3. In the Protection Options section, configure the following options:
      • Allow traffic for unsupported protocols - Enabled
      • Allow only outgoing traffic until firewall services have started - Disabled
      • Allow bridged traffic - Enabled
   4. In the Tuning Options section, configure the following options:
      • Enable Adaptive mode - Disabled
      • Disable core networking rules - Enabled
        
        NOTE: We recommend that you leave this feature enabled; disabling the core networking rules might disrupt network communications on the client.
         
      • Log all blocked traffic - Enabled
      • Log all allowed traffic - Enabled
   5. In the Trellix GTI Network Reputation section, configure the following options:
      • Treat GTI match as intrusion - Disabled
      • Log matching traffic - Enabled
      • Block all untrusted executables - Disabled
      • Incoming network-reputation threshold - Don’t block
      • Outgoing network-reputation threshold - Don’t block
      • For ENS 10.6.0 and later, the GTI ratings server isn't reachable and no configuration is needed.
   6. In the DNS Blocking section, no configuration is needed.
   7. In the Defined Networks section, no configuration is needed.
   8. In the Trusted Executables section, no configuration is needed.
      
2. Edit the Endpoint Security Firewall, Rules policy as follows from the ePO console or ENS console:
   1. Click Add Rule.
   2. In the Description section, configure the following settings:
      • Name - ALLOW ANY
      • Status - Enable rule
      • Actions - Allow
      • Treat match as intrusion - Disabled
      • Log matching traffic  - Disabled
      • Direction - Either
   3. In the Networks section, configure the following settings:
      • Network protocol - Any protocol
      • Connection types - Select all types shown.
      • Specify Networks - No configuration is needed.
   4. In the Transport section, configure the following setting:
      • Transport protocol: All protocols
   5. In the Applications section, no configuration is needed.
   6. In the Schedule section, configure the following setting:
      • Enable schedule - Disabled
         
3. Retest the issue.
   
   If the issue is resolved, expand all firewall rule groups in the named policy and analyze each of the firewall rules from the top down. Pay special attention to those rules that have BLOCK as the action. Based on this review, move the Any-Any rule down to many positions in the rule set. If a rule isn't located, add the proper rule to the firewall policy set and retest. If you do this several times and retest the issue, you might determine which rule is blocking the application.
   
   NOTE: Verify that the application details match the executable details appropriately. For example, the File description value must be the exact application description; this value isn't a comment value for the application. For more information, see KB71735 - About the executable File Description field.

Back to top

Test by isolating what type of network traffic resolves the issue
To determine what type of network traffic is related to the issue, isolate network traffic by different criteria. Different generic combinations can help you determine what type of network traffic to focus on when reviewing the BLOCKED entries in the FirewallEventMonitor.log file.

NOTE: The list provided below is only a guide to some criteria examples and isn't intended to be a full list.

Example use:
If allowing all inbound traffic resolves the issue, further narrow the rule to TCP versus UDP versus ICMP. 
If allowing all inbound TCP traffic resolves the issue, review the firewall logs for Blocked Incoming TCP traffic.

Generic combination examples:

• Allow all outbound traffic
   
• Allow all inbound traffic
   
• Allow all IPv4 traffic
  • Inbound versus outbound
  • TCP versus UDP versus ICMP
     
• Allow all IPv6 traffic
  • Inbound versus outbound
  • TCP versus UDP versus ICMP
     
• Allow all TCP traffic
  • Inbound versus outbound
     
• Allow all UDP traffic
  • Inbound versus outbound
     
• Allow all ICMP traffic
  • Inbound versus outbound
  • ICMPv4 versus ICMPv6
     
• Allow all broadcast (255.255.255.255) traffic
   
• Allow all multicast (224.0.0.252-239.255.255.250) traffic

Back to top

Test by allowing unsupported protocols
Enable the Allow traffic for unsupported protocols option in the Endpoint Security Firewall, Options policy, and retest to check whether this action resolves the issue.

Back to top

Test by disabling the GTI Network Reputation functionality
Set the Incoming network-reputation threshold and Outgoing network-reputation threshold to Don’t block in the Endpoint Security Firewall, Options policy. Then, retest and confirm whether this action resolves the issue. The GTI Network Reputation feature processes network traffic before the other firewall rules contained in the Firewall Rules policy, which might contain an Allow Any-Any firewall rule. If the GTI Network Reputation functionality blocks the network traffic, see KB90837 - FAQs for Endpoint Security Firewall Global Threat Intelligence.

Back to top

Test by disabling the GTI "Block all untrusted executables" functionality
Disable the Block all untrusted executables option in the Endpoint Security Firewall, Options policy. Then, retest and confirm whether this action resolves the issue. This feature blocks all executables that aren't signed or have an unknown GTI reputation. For information about this feature, see KB90096 - Explanation of the "Executable verification Rule." Network traffic blocked by this feature is logged in the FirewallEventMonitor.log file with the entry: Matched Rule:  Executable verification Rule.

Back to top

1. (OPTIONAL) Install network capture software on the test client.
   
   NOTES:
   • A network capture trace isn't needed in all situations unless the issue is related to performance or timing issues. Technical Support might specifically request a network trace when needed.
   • Network capture issues have occurred in the past with the WinPcap software included with Wireshark. NETRESEC RAWCap is an alternative network capture software that you can use to avoid these issues.
      
2. Obtain the AMTrace tool. See KB86691 - Minimum data collection steps for Endpoint Security issues.
3. Enable debug logging within the ENS product. See KB86691 - Minimum data collection steps for Endpoint Security issues.
4. Enable the Log all blocked traffic and Log all allowed traffic logging options in the Firewall Options policy. Because of the increased activity of logging more network traffic, you might need to adjust the ENS log size limits. (This adjustment is usually not needed.) Adjust the following ENS logging options in the ENS Common Options policy if needed:
   • Limit size (MB) of each of the debug log files - default size is 50 MB
   • Limit size (MB) of each of the activity log files - default size is 10 MB
5. Start capturing a network trace.
6. Start the AMTrace tool. There are multiple ways to run the AMTrace tool. Either run amtrace.exe to start or stop the tool manually, or use the following command-line switches:
   • To start: AMTrace.exe -b now -m 2GB
   • To stop: AMTrace -e
7. Reproduce the issue.
   
   NOTE: Document the precise date and time of the issue being reproduced, for Technical Support log review.
    
8. Stop the network trace capture.
9. Stop the AMTrace tool.
10. Collect a MER file from the system. The MER must include the ENS Firewall log files \ProgramData\McAfee\Endpoint Security\Logs\Firewall*.log
11. Collect appropriate network traffic and application details:
    • Source and destination IP addresses, including any other related network address details, if needed.
    • Source and destination port numbers, if applicable.
    • Application executable details, for example, vendor name, installation path, executable path, and file name.
    • Date and time of issue reproduction.
    • Any relevant BLOCK or ALLOW entries from the ENS Firewall log files, if applicable.
12. At times, an exported copy of the ENS Firewall policies is needed for thorough analysis. The needed Firewall policies are usually the Firewall Rules or Options policies. If you can provide these policies for Technical Support to review, export them from the ePO console Policy Catalog menu, not the Firewall Catalog menu. Export the policies as policy XML files.
13. Collect FWInfo data:
    1. Open a command prompt as an Administrator. For example, if you use Windows 10, type CMD in the Start search box, right-click Command Prompt, select Run as administrator, and click Yes.
    2. At the Administrator command prompt, run the following commands:
       
       ipconfig /all > c:\ipconfig.txt
       
       NOTE: fwinfo is at C:\Program Files\Common Files\McAfee\SystemCore\fwinfo.exe.
        
       fwinfo -configdisplay > c:\fwinfo-configdisplay1.txt
       fwinfo -ipconfig > c:\fwinfo-ipconfig1.txt
       fwinfo -policydisplayxml > c:\fwinfo-policydisplayxml1.txt
       
       NOTE: Run the following command on Windows Vista SP1 or later systems. The command creates a file named wfpstate.xml. Rename the file to wfpstate1.xml.
       
       netsh wfp show state
        
14. Contact Technical Support and provide the data collected above for further analysis. See the "Related Information" section for contact details.

Back to top