cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Bypass mcafee Firewall for ip inepolicy orchestrator

I want to use WMI to get information from our clients, but mcafee firewall is blocking this.

I can't get this to work, so now I just disable the firewall, do my thing and turn it back on.

I want to bypass the firewall for a few ip addresses or find a solution to get the WMI to work with mcafee, which seems impossible to do.

Does anybody know how I can set this up?

Thanks in advance for any advice!

 

We use Endpoint Security 10.5

Labels (3)
Tags (3)
4 Replies
Highlighted

Re: Bypass mcafee Firewall for ip inepolicy orchestrator

Hi,

You would need to enable incoming connections on port TCP/135 to the workstations you wish to allow WMI.

You first find your firewall policy that is applied to your workstations and make a new rule to allow incoming TCP/135.

There would also be some dynamic port ranges that may need to be opened along side TCP/135 you can find out by reviewing your logs with the method below.

Ideally you would make it more secure by adding a network location that the connections will come from (The server/workstation that is sending out the WMI requests.) In Edit Rule > Networks

You can troubleshoot on your endpoint by opening up your FirewallEventMonitor  log located on your workstation in c:\programdata\mcafee\Endpoint Security\Logs\ and look for any connections to TCP/135

Depending on how busy your network traffic is to the workstation i prefer to use cmtrace and watch the log in real time while trying to connect.

 

Regards,

Dev

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Bypass mcafee Firewall for ip inepolicy orchestrator

Hi,
You can refer below link and use adaptive mode to create the rules automatically in adaptive mode on the client machine and then review which rules you need and then configure the rules as per your requirement.
How Adaptive mode affects the firewall
https://docs.mcafee.com/bundle/endpoint-security-10.5.0-firewall-product-guide-epolicy-orchestrator-...
Using Adaptive mode
https://docs.mcafee.com/bundle/endpoint-security-10.5.0-firewall-product-guide-epolicy-orchestrator-...

Below are the steps on how to enable adaptive mode for a single system.
1)Goto System tree, Search for the system name, select it and click on action>>agent>Edit policies on a single system>
2)Then make Product = Endpoint Security Firewall from the Product list.
3)Click on options policy--Make a duplicate of this policy so that you can revert back to the previous policy after creating the rules.
4)Then go to the newly created copy policy
5)Under Tuning Options enable adaptive mode [Note: adaptive mode is used only to configure rules, once done you can disable adaptive mode ]
6)Apply this policy for the system on which you need to create the rules.
7)Once the rules are created under ENSFW on the client machine.
8)Then click on collect and send properties on the Agent monitor so that the adaptive rules are sent back to epo.
Then you can run the server task "Endpoint Security Firewall Property Translator" so that the rules created on the client machine are listed under epo.
Then you have to goto the "Menu>>>Reporting>>>>>Firewall Client Rules" and then select the rules and add to the policies.
After following these steps if you have any queries, let us know.

Regards,
Daya
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Bypass mcafee Firewall for ip inepolicy orchestrator

FYI, the original post was over 2 years ago.

 

 

Like @DEViANCE stated, review the FirewallEventMonitor.log file for logged details regarding the network connection that WMI uses.  Ref https://kc.mcafee.com/corporate/index?page=content&id=KB90662

In doing some testing with WMIC in my test environment (where ENSFW is on the remote host that I'm using the WMIC command), I am see the below network traffic used by this connection.  You'll need to identify if it's the same and determine how to best configure your firewall rules to allow it securely.

  1. Incoming TCP traffic for svchost.exe - high random source and destination ports 1024-65535 (my testing showed it was typically in the 50000 range).
  2. Incoming TCP traffic for svchost.exe from remote host high random (1024-65535) to local port 135

 

Alternatively, if you want to configure the Firewall to allow all network traffic to/from specific IP addresses, you can configure them as DEFINED NETWORKS -> TRUSTED in the Firewall Options policy.  This is less secure, but will accomplish what you mentioned earlier.

Highlighted

Re: Bypass mcafee Firewall for ip inepolicy orchestrator

Apologies, didn't even notice the post date.

Some good information for the archive either way 🙂

 

Regards,

Dev

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community