Endpoint Security Firewall incorrectly allows/blocks network traffic through Firewall rules that do not have a defined Executable FILE PATH

Technical Articles ID: KB92611
Last Modified: 2023-03-02 20:14:35 Etc/GMT

Environment

Endpoint Security (ENS) Firewall 10.7.0 February 2020 Update, 10.6.1 February 2020 Update

Problem

ENS Firewall 10.6.1 February 2020 Update and 10.7.0 February 2020 Update allow and block network traffic through Firewall rules when the rule does not have a defined Executable FILE PATH value. This issue occurs with any Firewall rule that meets this criteria, but it is commonly seen with the "Allow McAfee signed applications" rule within the default Firewall Rule policies.

Cause

The issue is caused when a Firewall rule has listed an Application Executable and that Executable is defined with a HASH, SIGNER, or FILE DESCRIPTION value, but not a FILE PATH value. When the Firewall rule is created with these details, it is enforced into the Firecore engine without the Executable. This fact causes other types of network traffic to be allowed or blocked through this rule because the Executable is not added, but the other attributes of the Firewall rule are. This issue affects any type of Firewall rule whether it is created in an ePO policy or local user-defined in the ENS Console. This issue does not affect the hard-coded "McAfee Core Networking" rules.

Solution

This issue is resolved in ENS 10.6.1 April 2020 Update and ENS 10.7.0 April 2020 Update.

Our product software, upgrades, maintenance releases, and documentation are available on the Product Downloads site.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

Workaround

To work around this issue, review the existing Firewall rules in the Firewall Options and Firewall Rules policies. Any Firewall rule that has a defined Executable must have the FILE PATH criteria defined. Other Executable criteria, for example, HASH, SIGNER, and FILE DESCRIPTION values, can be used in addition, but the FILE PATH must be defined.

NOTE: After the solution is applied, you can revert the rule configuration to its previous configuration where the FILE PATH was non-populated. The other criteria (HASH, SIGNER, and FILE DESCRIPTION) alone can be used as needed.

Related Information

A symptom that might occur is that ENS Firewall no longer updates the FirewallEventMonitor.log file, which is the result of the Log All Allowed Firewall option not being enabled. When the Firewall allows the network traffic through the affected rule, network traffic is no longer blocked. The Allow McAfee signed applications Firewall rule inside the McAfee Default Firewall Rules policy is an example of an affected rule. So, with the Firewall Options policy option Log all blocked only, the appearance is that Firewall logging is not working, but in fact, the traffic is being allowed and not logged. To log all blocked and allowed network traffic to the local FirewallEventMonitor.log file, enable both the Log All Blocked and Log All Allowed Firewall options in the ENS Firewall Options policy.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Endpoint Security Firewall incorrectly allows/blocks network traffic through Firewall rules that do not have a defined Executable FILE PATH

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Endpoint Security Firewall incorrectly allows/blocks network traffic through Firewall rules that do not have a defined Executable FILE PATH

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title