Duplicating "Allow inbound traffic from special IP addresses" allows all traffic that hits the rule
Last Modified: 2021-12-17 12:49:02 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Duplicating "Allow inbound traffic from special IP addresses" allows all traffic that hits the rule
Technical Articles ID:
KB92563
Last Modified: 2021-12-17 12:49:02 Etc/GMT Environment
Endpoint Security (ENS) Firewall 10.x
Problem
After you duplicate the core networking rule "Allow inbound traffic from special IP addresses," the ENS Firewall allows all traffic that hits the rule.
Cause
ENS has hard-coded the rule "Allow inbound traffic from special IP addresses" with special IP addresses 0.0.0.0 and 0000:0000:0000:0000:0000:0000:0000:0000. Duplicating this rule is allowed. But, when you open the rule, you can see that the IP address field under Remote Network is empty, denoting an "invalid address."
Solution
Don’t duplicate the rule "Allow inbound traffic from special IP addresses." If the mentioned special IP addresses need to be allowed, enable the built-in rule because the rule isn’t meant for duplication.
Affected ProductsLanguages:This article is available in the following languages: |
|