How to create ENS Firewall rules for third-party application network traffic (ePO managed)
Technical Articles ID:
KB91885
Last Modified: 2022-02-28 17:48:26 Etc/GMT
Last Modified: 2022-02-28 17:48:26 Etc/GMT
Environment
Endpoint Security (ENS) Firewall 10.x
Summary
After you apply the solution steps, you can use the applications normally with ENS Firewall activated and the adaptive mode disabled.
Problem
ENS Firewall blocks application network traffic. There are entries as shown below regarding blocked traffic for the application in the FirewallEventMonitor.log at %PROGRAMDATA%\McAfee\Endpoint Security\Logs . In the below example, Firefox.exe blocks local TCP traffic on port 8443.
Time: 09/16/2019 04:31:03 PM
Event: Traffic
IP Address: 192.168.2.102
Description: FIREFOX
Path: C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
Message: Blocked Outgoing TCP - Source 192.168.2.105 : (54366) Destination 192.168.2.102 : (8443)
Matched Rule: Block all traffic
NOTE: By default, the rules Allow outbound TCP traffic and Allow ePolicy Orchestrator console allow this traffic.
Event: Traffic
IP Address: 192.168.2.102
Description: FIREFOX
Path: C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
Message: Blocked Outgoing TCP - Source 192.168.2.105 : (54366) Destination 192.168.2.102 : (8443)
Matched Rule: Block all traffic
NOTE: By default, the rules Allow outbound TCP traffic and Allow ePolicy Orchestrator console allow this traffic.
System Change
Traffic might be blocked when either of the below changes occur:
- After you install the ENS Firewall module on managed systems, some application traffic is blocked because of the policy configurations in ePO.
- After you change the policy configurations, some application ports get blocked.
Cause
ENS Firewall isn't configured to allow the application traffic.
Solution
Create ENS Firewall rules that allow third-party application network traffic. You can define rules broadly (for example, all IP traffic) or narrowly (for example, identifying a specific application or service) and specify options. You can group rules according to a work function, service, or application for easier management. As with rules, you can define the rule groups by network, transport, application, schedule, and location options. ENS Firewall uses precedence to apply rules:
NOTE: The local system is the system on which you're adding rules.
- ENS Firewall applies the rule at the top of the firewall rules list. If the traffic meets this rule's conditions, ENS Firewall allows or blocks the traffic. It doesn't try to apply any other rules in the list.
- If the traffic doesn't meet the first rule's conditions, ENS Firewall continues to the next rule in the list until it finds a match.
- If no rule matches, ENS Firewall automatically blocks the traffic.
NOTE: The local system is the system on which you're adding rules.
- Click the McAfee notification area icon and then click About. Verify that ePO manages the system and note the system name.
- Open the ePO console.
- Select Menu, Policy, Policy Catalog.
- Select Endpoint Security Firewall from the Product list.
- Select the affected systems in the System Tree.
- Select Actions, Agent, Modify Policies on a Single System.
- Click the Rules policy name link.
NOTES:- If you still have the McAfee Default (read-only) policy assigned, duplicate the policy and start working on a new policy. After you configure the new policy, assign it to systems.
- There's a red alert at the top of the rule editing page to inform you about the number of systems that the rule affects. Changes to the rule impact all these systems. If there isn't a red alert, the policy is still not assigned to any system.
- If the system isn't managed (standalone installation), create rules locally.
- We highly recommend using the adaptive mode after installing ENS Firewall to create rules automatically. Then, test all applications. After testing, disable the adaptive mode because it allows all network traffic.
- Click Add Rule below the rules list.
- Type a Rule Name.
- Leave Enable Rule selected.
- Set Actions to Allow.
NOTE: To block allowed traffic, place a rule at the top of the list or deselect Enable Rule for the rule that is allowing the traffic. To find which rule is allowing traffic, select Log Allowed Traffic in the option section and search for the traffic inFirewallEventMonitor.log .
- Select the traffic Direction (In, Out, or Either). If you send and receive traffic, select Either. Otherwise, select Out for outgoing traffic.
- Go to Specify networks in the Networks section.
- Click Add Local and then click Add an IP Address. Add the single local IP address 192.168.2.105 or your IP address range (for example, workstations with DHCP in the range 192.168.2.100 to 192.168.2.200) of all client systems to have this rule assigned, and where you want to allow this traffic.
- Click Add Remote and then click Add an IP Address. To specify only one remote network for this rule, add the single remote IP address 192.168.2.102.
- Go to the Transport section. Select the protocol if you don't want to allow all protocols. In this example, select TCP. If you specify the protocol, you can select the remote and local ports. In this example, type 8443 in the remote port field. In the log, you can find the port for each IP address as (port).
TIP: You can type a single port number, a series of port numbers using a comma, or a range of ports using a hyphen.
- Go to the Applications section. You can decrease the allowed traffic by specifying applications by MD5, executable file name, or file path. In this example, we add
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE . We can also addFirefox.exe orC:\PROGRAM FILES\MOZILLA FIREFOX\* . - Schedule a time for applying this rule, or leave the option Enable Schedule disabled.
Workaround 1
Disable the ENS Firewall module as follows if you want to temporarily allow all traffic without any blocking:
- Open the ePO console.
- Select Menu, Policy, Policy Catalog.
- Select Endpoint Security Firewall from the Product list, and then select the Options policy.
- Deselect Enable Firewall to disable the ENS Firewall module.
- Click Save.
- Configure rules as described in the "Solution" section above.
- Select Enable Firewall to enable the ENS Firewall module.
- Test applications and find any blocked network traffic in the
FirewallEventMonitor.log .
Workaround 2
Create an allow-all policy if you want to temporarily allow all traffic without any blocking:
- Open the ePO console.
- Select Menu, Policy, Policy Catalog.
- Select Endpoint Security Firewall from the Product list.
- Click Add Rule.
- Go to the Description section and configure the following settings:
- Name - ALLOW ANY
- Status - Enable rule
- Actions - Allow
- Treat match as intrusion - Disabled
- Log matching traffic - Disabled
- Direction - Either
- Go to the Networks section and configure the following settings:
- Network protocol - Any protocol
- Connection types - Select all types shown
- Specify Networks - No configuration is needed
- Go to the Transport section and configure the following setting:
- Transport protocol: All protocols
- Go to the Applications section and leave the default settings. No configuration is needed.
- Go to the Schedule section and configure the following setting:
- Enable schedule - Disabled
Workaround 3
Enable the ENS Firewall adaptive mode to automatically create some rules. By enabling the adaptive mode, you allow all traffic without any blocking.
Be aware of the limitations of the adaptive mode feature. There are conditions where the ENS Firewall can't automatically create client rules. For details, see the "FAQ - Adaptive mode" section of the Endpoint Security 10.7.x Product Guide.
Be aware of the limitations of the adaptive mode feature. There are conditions where the ENS Firewall can't automatically create client rules. For details, see the "FAQ - Adaptive mode" section of the Endpoint Security 10.7.x Product Guide.
- Open the ePO console.
- Select Menu, Policy, Policy Catalog.
- Select Endpoint Security Firewall from the Product list, and then select the Options policy.
- Click Show Advanced.
- Go to the Tuning Options section and select Enable Adaptive Mode.
- Apply the modified policy to the client and retest the issue. If the issue is resolved, continue to the next step. If the issue isn't resolved, continue to the next section.
- Open the ENS console and open the Firewall menu.
- Go to the Rules section and review the Adaptive firewall group.
- Expand the Adaptive firewall group and review the client rules to determine why the new rules were created. Firewall client rules might be created for several reasons. Modify the existing rules as needed. Or, create firewall rules in the policy if other firewall rules exist in the policy for that specific application or network traffic. If you believe that the rules were created in error, contact Technical Support for further investigation. See the "Related Information" section for contact details.
- Perform all application testing and verify that adaptive rules were created.
- Open the ePO console.
- Select Menu, Firewall Client rules.
- Use the drop-down list to select the client system. Click Actions, Add to policy, and then select the rule created on the client system.
Related Information
Firewall rules examples
See the examples below when creating firewall rules.
Create rules that allow you to get an IP address on an interface
To create firewall rules that allow you to get an IP address on an interface, we recommend creating two rules. First, create a rule to allow DHCP outgoing on UDP local port 68 and remote port 67. Then, create a rule to allow DNS queries.
Recommended firewall rules
In addition to the default firewall rules, we recommend that you configure these rules:
See this Microsoft article for more information.
See the examples below when creating firewall rules.
Create rules that allow you to get an IP address on an interface
To create firewall rules that allow you to get an IP address on an interface, we recommend creating two rules. First, create a rule to allow DHCP outgoing on UDP local port 68 and remote port 67. Then, create a rule to allow DNS queries.
- Create a rule that allows DHCP outgoing on UDP local port 68 to remote port 67:
- Rule Name - Type a name for the rule
- Status - Enabled
- Action - Allow
- Direction - Outgoing
- Network Protocol (IPv4) - Not applicable
- Transport Protocol - Select Protocol
- Select UDP, Local, and then type the Port No as 68
- Select UDP, Remote, and then type the Port No as 67
- Create a rule that allows DNS queries:
- Rule Name - Type a name for the rule
- Status - Enabled
- Action - Allow
- Direction - Outgoing
- Network Protocol (IPv4) - Not applicable
- Transport Protocol - Select Protocol
- Select UDP, Remote, and then type the Port No as 53
- Rule Name - Type a name for the rule
- Status - Enabled
- Action - Allow
- Direction - Outgoing
- Network Protocol (IPv4) - Not applicable
- Transport Protocol - Select Protocol
- Select TCP, Remote, and then type the Port No as 80
- Rule Name - Type a name for the rule
- Status - Enabled
- Action - Allow
- Direction - Outgoing
- In Network Protocol (IPv4), select Remote, Subnet, and then type the Subnet Mask value
- Transport Protocol - Select Protocol
- Select TCP, Remote, and then type the Port No
Recommended firewall rules
In addition to the default firewall rules, we recommend that you configure these rules:
- Allow bidirectional NTP port 123–123
- Allow bidirectional NetBIOS name service port 137–137
- Allow outgoing FTP client port 1024–65535 to 21
- Allow outgoing for POP3, IMAP, SMTP
- Allow outgoing for RDP
- Allow outgoing for LDAP
- Allow bidirectional for AFP/SMB, if you're using file sharing
See this Microsoft article for more information.
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Affected Products
Languages:
This article is available in the following languages: