FAQs for Endpoint Security Firewall "Disable Trellix core networking rules" feature
Technical Articles ID:
KB91206
Last Modified: 2023-08-31 07:04:36 Etc/GMT
Last Modified: 2023-08-31 07:04:36 Etc/GMT
Environment
Endpoint Security (ENS) Firewall 10.x
Summary
This article provides detailed information about the ENS Firewall feature "Disable Trellix core networking rules."
Recent updates to this article
Contents
Click to jump to the section that you want to view:
What's the ENS Firewall "Disable Trellix core networking rules" feature and its purpose?
This feature contains the core networking rules. It includes firewall rules to allow several types of network traffic related to the following:
The following firewall rules are included the "Trellix core networking" group:
NOTE: With ENS Firewall 10.7.0 and later, the multiple "Allow McAfee-signed applications" firewall rules listed below have been merged into a single firewall rule.
For customers that don't want to use this group of firewall rules, ENS allows the ability to disable them through ePolicy Orchestrator (ePO) policy or local configuration. When you enable the "Disable Trellix core networking rules" feature, the pop-up message Disabling Trellix core networking rules could disrupt network communications on the client displays in the ePO server and the local ENS client console. This message is a warning about potential network disruption issues. By disabling this group of firewall rules, you might (although not guaranteed) experience network communication issues. These firewall rules allow critical Windows processes and their related network traffic. If they're disabled, it might affect features or functionality related to these processes. For example, printer jobs, interaction with DNS servers, and user logons. Perform thorough tests if this feature is enabled to make sure that there are no issues.
Another important reason is to prevent the ENS Firewall from blocking Trellix Agent (TA) and other product network traffic. If a firewall policy issue occurs, for example, a poorly implemented or corrupt policy, the ENS Firewall must always allow TA communications to the ePO server to obtain new policy updates and resolve policy-related issues. If the firewall doesn't have this feature, the potential alternatives would be twofold. The firewall can permanently block the ePO server and TA communications and policy updates, or not allow the system to connect to any networks. Either alternative might require manual intervention to the local system to remedy the issue.
After I enable the "Disable Trellix core networking rules" feature, why are all firewall rules inside the Trellix core networking group not disabled?
This behavior is by design. The main core networking group itself remains enabled, while some of the firewall rules are disabled. But, other critical firewall rules aren't disabled. This design is to prevent the ENS Firewall from blocking the following specific types of critical application and non-application network traffic that can potentially cause major outages. Examples are a system that's unable to connect or obtain an IP address from the local network are as follows.
The following rules aren't disabled:
Currently, modification of these rules isn't an available feature. You can only enable or disable the group of firewall rules (with the above stated limitations).
If I enable the "Disable Trellix core networking rules" feature, what issues might arise?
Disabling this group of firewall rules might cause certain network traffic for critical processes to be blocked. Firewall configuration changes might be needed within the Firewall Options or Firewall Rules policy. The changes depend on what type of network traffic is blocked and how you want to allow the network traffic. For example, whether you want to create specific firewall rules to allow the traffic, or allow it by generic Trusted Executable or Defined Networks (Trusted) rules.
Should I disable the core networking group for testing or production use?
Some customers might want to more tightly control network traffic via firewall rules. For example, allow DNS-related traffic to only specific DNS server IP addresses. So, disabling the core networking group is an option. But, we don't recommend that you disable core networking rules. It might cause network communication issues on the client, as noted with the pop-up message that occurs when you enable this feature in the user interface:
Disabling Trellix core networking rules could disrupt network communications on the client.
Be aware of what type of issues might occur when these core networking group firewall rules are disabled. Make sure that you perform thorough tests before you implement a policy that has this feature enabled in production environments. You might need to create or modify firewall rules to resolve any issues that occur.
What are some examples where the Trellix core networking rules might be disabled?
There are some types of network traffic that are allowed through these core networking rules; see the following examples below. If you need to control these types of network traffic, you can disable the Trellix core networking rules. But, as stated above, take care when doing so (disabling the core networking rules isn't recommended), and perform thorough testing before production environment implementation.
Recent updates to this article
| Date | Update |
| August 29, 2023 | Rebranded all instances of "McAfee core networking rules" to "Trellix core networking rules." |
| August 10, 2022 | Added the section "What are some examples where the Trellix core networking rules can be disabled?" Added a table of contents of the questions/information at the top of the article. |
| February 14, 2022 | Updated the FAQ "Should I disable the core networking group for testing or production use?" that we don't recommend that you disable core networking rules. |
Contents
Click to jump to the section that you want to view:
- What's the ENS Firewall "Disable Trellix core networking rules" feature and its purpose?
- What firewall rules are included in the "Trellix core networking" group?
- Why is "Disable Trellix core networking rules" available as a selectable feature in the ENS Firewall Options policy?
- After I enable the "Disable Trellix core networking rules" feature, why are all firewall rules inside the Trellix core networking group not disabled?
- Which core networking firewall rules aren't disabled when I enable the "Disable Trellix core networking rules" feature?
- Can I modify or delete the core networking group or any of the firewall rules within the group?
- If I enable the "Disable Trellix core networking rules" feature, what issues might arise?
- Should I disable the core networking group for testing or production use?
- What are some examples where the Trellix core networking rules can be disabled?
What's the ENS Firewall "Disable Trellix core networking rules" feature and its purpose?
This feature contains the core networking rules. It includes firewall rules to allow several types of network traffic related to the following:
- Critical system processes
- Trellix applications
- DHCP
- Domain Name System (DNS)
- Loopback
- Broadcast
The following firewall rules are included the "Trellix core networking" group:
NOTE: With ENS Firewall 10.7.0 and later, the multiple "Allow McAfee-signed applications" firewall rules listed below have been merged into a single firewall rule.
- Allow outbound system applications - Allows outbound network traffic for the Windows SYSTEM executable process.
- Allow
ARP traffic - Allows inbound and outbound network traffic for Address Resolution Protocol (ARP) packets (Ethernet Protocol 0x806). - Allow
EAPOL traffic - Allows inbound and outbound network traffic for Extensible Authentication Protocol over LAN (EAPOL) packets (Ethernet Protocol 0x888E). - Allow outbound stock applications - Allows outbound network traffic for Windows critical processes (for example,
services.exe ,svchost.exe ,lsass.exe ,userinit.exe ,winlogon.exe ,alg.exe ,spoolsv.exe , anddns.exe ). - Allow McAfee-signed applications - Allows inbound and outbound network traffic related to our products based on signer certificate value.
- Allow McAfee-signed applications 2 - Allows inbound and outbound network traffic related to our products based on signer certificate value.
- Allow McAfee-signed applications 3 - Allows inbound and outbound network traffic related to our products based on signer certificate value.
- Allow McAfee-signed applications 4 - Allows inbound and outbound network traffic related to our products based on signer certificate value.
- Allow outbound
ICMPv4 traffic - Allows outbound network traffic related to the ICMPv4 transport protocol. - Allow outbound
ICMPv6 traffic - Allows outbound network traffic related to the ICMPv6 transport protocol. - Allow outbound DNS traffic - Allows outbound network traffic related to remote host UDP Port 53 (default port for DNS resolution).
- Allow inbound traffic from special IP addresses - Allows inbound network traffic for the special IP address 0.0.0.0 (IPv4 and IPv6). For more information, see this article on special IP address 0.0.0.0.
- Allow outbound loopback and broadcast traffic - Allows outbound network traffic related to IPv4/IPv6 loopback and broadcast traffic.
- Allow reserved IP traffic - Allows inbound and outbound network traffic for the RESERVED Transport Protocol 255 (0xFF). For more information, see this article on IP protocol numbers.
- Allow outbound BOOTP traffic - Allows outbound network traffic for BOOTP and DHCP traffic (UDP port 67 and 68).
- Allow outbound
DHCPv6 traffic - Allows outbound network traffic for DHCPv6 traffic (UDP port 546 and 547).
For customers that don't want to use this group of firewall rules, ENS allows the ability to disable them through ePolicy Orchestrator (ePO) policy or local configuration. When you enable the "Disable Trellix core networking rules" feature, the pop-up message Disabling Trellix core networking rules could disrupt network communications on the client displays in the ePO server and the local ENS client console. This message is a warning about potential network disruption issues. By disabling this group of firewall rules, you might (although not guaranteed) experience network communication issues. These firewall rules allow critical Windows processes and their related network traffic. If they're disabled, it might affect features or functionality related to these processes. For example, printer jobs, interaction with DNS servers, and user logons. Perform thorough tests if this feature is enabled to make sure that there are no issues.
Another important reason is to prevent the ENS Firewall from blocking Trellix Agent (TA) and other product network traffic. If a firewall policy issue occurs, for example, a poorly implemented or corrupt policy, the ENS Firewall must always allow TA communications to the ePO server to obtain new policy updates and resolve policy-related issues. If the firewall doesn't have this feature, the potential alternatives would be twofold. The firewall can permanently block the ePO server and TA communications and policy updates, or not allow the system to connect to any networks. Either alternative might require manual intervention to the local system to remedy the issue.
After I enable the "Disable Trellix core networking rules" feature, why are all firewall rules inside the Trellix core networking group not disabled?
This behavior is by design. The main core networking group itself remains enabled, while some of the firewall rules are disabled. But, other critical firewall rules aren't disabled. This design is to prevent the ENS Firewall from blocking the following specific types of critical application and non-application network traffic that can potentially cause major outages. Examples are a system that's unable to connect or obtain an IP address from the local network are as follows.
- Always allow network communications for TA and other Trellix-signed applications.
- Always allow ARP network traffic.
- Always allow BOOTP and DHCP (UDP port 67 and 68) traffic for systems to obtain an IP address dynamically (if not using static IP address assignments).
The following rules aren't disabled:
- Allow ARP traffic
- Allow McAfee-signed applications
- Allow McAfee-signed applications 2
- Allow McAfee-signed applications 3
- Allow McAfee-signed applications 4
- Allow outbound BOOTP traffic
Currently, modification of these rules isn't an available feature. You can only enable or disable the group of firewall rules (with the above stated limitations).
If I enable the "Disable Trellix core networking rules" feature, what issues might arise?
Disabling this group of firewall rules might cause certain network traffic for critical processes to be blocked. Firewall configuration changes might be needed within the Firewall Options or Firewall Rules policy. The changes depend on what type of network traffic is blocked and how you want to allow the network traffic. For example, whether you want to create specific firewall rules to allow the traffic, or allow it by generic Trusted Executable or Defined Networks (Trusted) rules.
Should I disable the core networking group for testing or production use?
Some customers might want to more tightly control network traffic via firewall rules. For example, allow DNS-related traffic to only specific DNS server IP addresses. So, disabling the core networking group is an option. But, we don't recommend that you disable core networking rules. It might cause network communication issues on the client, as noted with the pop-up message that occurs when you enable this feature in the user interface:
Be aware of what type of issues might occur when these core networking group firewall rules are disabled. Make sure that you perform thorough tests before you implement a policy that has this feature enabled in production environments. You might need to create or modify firewall rules to resolve any issues that occur.
What are some examples where the Trellix core networking rules might be disabled?
There are some types of network traffic that are allowed through these core networking rules; see the following examples below. If you need to control these types of network traffic, you can disable the Trellix core networking rules. But, as stated above, take care when doing so (disabling the core networking rules isn't recommended), and perform thorough testing before production environment implementation.
- Outbound NetBIOS/SMB (for example, TCP/UDP ports 137–139 and 445) and ICMP (for example, "ping" traffic) network traffic is allowed via the "Allow outbound system applications" rule because this traffic communicates via the SYSTEM (PID4) process.
- Outbound DNS (UDP port 53) network traffic is allowed via the "Allow outbound DNS traffic" rule.
- Within the Trellix Default Firewall Rules policy, there's a copy of these Trellix core networking rules that you can duplicate if needed. But, changing this group of rules doesn't affect the hard-coded Trellix core networking rules on the ENS client.
- Some of these firewall rules aren't needed (after duplicated), since the hard-coded version of the rule can't be disabled. (See "Which core networking firewall rules aren't disabled when I enable the "Disable Trellix core networking rules" feature?" above.)
- Be aware that you need to delete the Allow inbound traffic from special IP addresses rule as the 0.0.0.0 special IP address that it uses is invalid within custom firewall rules (which is why it's a hard-coded core networking rule).
Related Information
For detailed information about configuring ENS Firewall features, see the Endpoint Security Product Guide.
For product documents, go to the Product Documentation portal.
To submit a new product idea, go to the Enterprise Customer Product Ideas page.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
For more information about product ideas, see KB60021 - How to submit a Product Idea.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
For more information about product ideas, see KB60021 - How to submit a Product Idea.
Affected Products
Languages:
This article is available in the following languages:
