This article provides FAQs about the ENSLFW log configuration and files.
How do I track the log files?
You can separately track the log files for command-line interface (CLI)-based activities and firewall-based activities at the following locations:
- CLI:
(10.6.6 and later) : /var/McAfee/ens/log/fw/mfefwcli/mfefwcli.log
(10.6.5 and earlier) : /opt/McAfee/mfw/var/mfw/mfw.log
- Main Firewall Process:
(10.6.6 and later) : /var/McAfee/ens/log/fw/mfefwd.log
(10.6.5 and earlier) : /opt/McAfee/mfw/var/mfefirewall.log
How do I enable debug logging?
Use this command to enable debug logging:
- Debug Logging
(10.6.6 and later) : /opt/McAfee/ens/fw/bin/mfefwcli --fw-log-level debug
(10.6.5 and earlier) : /opt/McAfee/mfw/bin/mfw --fw-log-level debug
How do I read firewall rule logs?
Here's the log entry syntax:
MFE_I/O_A/B_firewall_rule_name. The
I/O indicates inbound or outbound. The
A/B indicates allow or block. The
firewall_rule_name provides the firewall rule name.
- Example:
Jun 16 07:56:26 Rhel-ENSL-1070 kernel: MFE_O_A_McAfee_Allow_DNS_ResIN= OUT=ens192 SRC=10.12.18.141 DST=10.92.65.223 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=54247 DF PROTO=UDP SPT=48500 DPT=53 LEN=56 MARK=0x110
MFE_O_A_McAfee_Allow_DNS_ResIN - Outbound traffic activity with the Rulename
OUT=ens192 - Outbound
SRC=10.12.18.141 - Source IP Address
DST=10.92.65.223 - Destination IP Address
PROTO=UDP - Protocol
SPT=48500 - Source Port Number
DPT=53 - Destination Port Number
Where do I find logs relating to firewall rules?
Logs for firewall rules are accessible from the following three locations:
- /var/log/messages
- /var/log/firewall (for SUSE)
- /var/log/syslog (for Ubuntu)
How do I list the local firewall rules on the ENSLFW Linux client?
Use this command and view the rule log prefix in the
Rule Log Prefix column:
(10.6.6 and later) :
/opt/McAfee/ens/fw/bin/mfefwcli --fw-rules-list
(10.6.5 and earlier) :
/opt/McAfee/mfw/bin/mfw --fw-rules-list
How do I list the firewall rules?
Use this command to view the firewall rules:
(10.6.6 and later) :
/opt/McAfee/ens/fw/bin/mfefwcli --fw-rules-list --xml
(10.6.5 and earlier) :
/opt/McAfee/mfw/bin/mfw --fw-rules-list --xml
How do I log firewall activity (for allowed or blocked network traffic) to the local log files?
In the firewall rule configuration settings, enable the
Log matching traffic option.
NOTE: With ENSLFW 10.7, a new feature was added to enable logging for all allowed and blocked network traffic via the Firewall Options policy. See the
Endpoint Security for Linux Firewall 10.7.0 Release Notes for details.
How do I log all blocked traffic?
By default, ENSLFW doesn't log all blocked traffic. If none of the ENSLFW rules match, all packets are dropped. By default, no log is created for this dropped traffic. To log the default dropped traffic, you must create a default drop rule in the Firewall policy as follows:
- Select the Add rule option in the Firewall rules Policy Catalog to add a rule at the end of the policy.
- Use the following settings for the rule:
- Name: Default_Drop_Rule
- Status: Enable
- Action: Block
- Enable "Log matching traffic"
- Direction: In
- Protocol: Any
- Transport protocol: All protocols
- Disable Scheduling
- Click Save.
- Move this rule to the end of the policy.
- Enforce the rule on the Linux system by performing an agent wakeup.
- Check the log settings with the following CLI command. Make sure Log all Blocked traffic is enabled. (This setting is enabled by default.)
(10.6.6 and later) : /opt/McAfee/ens/fw/bin/mfefwcli --showlogsettings
(10.6.5 and earlier) : /opt/McAfee/mfw/bin/mfw --showlogsettings
If the setting isn't enabled, execute the following command:
/opt/McAfee/ens/fw/bin/mfefwcli --log-blocked-traffic enable
- Traffic Example:
Aug 25 00:06:05 Ubuntu-Latest kernel: [14759670.662928] MFE_I_B_Block_ruleIN=ens160 OUT= MAC=01:00:5e:00:00:fb:00:50:56:93:3c:9b:08:00 SRC=10.12.29.215 DST=224.0.0.251 LEN=67 TOS=0x00 PREC=0x00 TTL=1 ID=4250 PROTO=UDP SPT=5353 DPT=5353 LEN=47 MARK=0x105
Can I trigger ePolicy Orchestrator (ePO) events for ENSFWL firewall rules?
Yes. For the firewall rule for which you want to trigger ePO events, enable the
Treat match as Intrusion option.