Firewall log shows a BLOCK event for network traffic matching an ALLOW rule
Last Modified: 2023-07-05 10:36:33 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Firewall log shows a BLOCK event for network traffic matching an ALLOW rule
Technical Articles ID:
KB94503
Last Modified: 2023-07-05 10:36:33 Etc/GMT Environment
Endpoint Security (ENS) Firewall 10.x ENS Threat Prevention 10.x Problem
The ENS Firewall logs a BLOCKED event to the Event: Traffic IP Address: 10.10.10.1 Description: Path: Message: Blocked Incoming TCP - Source 10.10.10.1 : (50016) Destination 10.10.10.2 : rdp (3389) Matched Rule: Allow all Solution
Verify that the remote IP address isn't added to the block list in the Firecore drivers via an ENS Threat Prevention Network IPS (NIPS) signature violation. The ENS Firecore driver manages network traffic to/from the system. A remote IP address is added to the block list within the ENS Firecore driver in the following scenarios:
To verify whether the IP address is in the block list, open an administrator command prompt and run the command below. The command shows the IP address and the related block timeout value. Example: Low: 10.10.10.1 High: 10.10.10.1 Time to live: 3600 Time remaining: 2218 Auto create is true NOTE: The ENS Threat Prevention Exploit Prevention policy feature Number of seconds (1–9999) to block sets the "Time to live" value. Affected ProductsLanguages:This article is available in the following languages: |
|