We have had 10.x in our environment, on a small number of select workstations, for over a year now. With the release of 10.2 I decided it was time to expand this deployment a bit, to a few more workstations and to the few (less than 10) servers that I manage. I found that 1) the firewall will block ports if there isn't an existing rule related to the traffic - which wasn't a big surprise and 2) the blocking actions don't show up in Threat Events in my EPO console (we are running 5.3.2). Case in point - our Stonesoft firewalls can't talk to its Log server and offhand I don't know what ports are involved. It would be nice to see the blocking information yet as reported it isn't present in EPO>Threat Events and also I just checked the Firewall_Activity_Log (C:\Program Data\McAfee\Endpoint Security\Logs\) and don't see any blocking information present there either.
Instead I have to run a sniff to find out what this Stonesoft-to-SMC-Log-Server traffic is (protocol/port pairing). As it stands I can't even launch the SMC presumably due to this port blocking by ENS.
City of Renton
I confirmed via Wireshark capture that the traffic is tcp 8913. I have created a new firewall rule in ENS for this traffic, and performed an Agent Wake-Up call with Force complete policy and task update option checked, and still can't connect to the SMC on tcp 8913. I have no events in EPO>Threat Events, in Firewall Activity Log, nor in Events in the ENS UI that shows this traffic being blocked. However there is no other endpoint product installed on either device (my workstation or the SMC server), and this traffic worked prior to the 10.2. upgrade. Calling support right after I post this.
After over an hour with support still can't get this to work and also with debugging on there are no log entries in any location. Also we confirmed that we can disable the firewall via EPO and the traffic (SMC - correction - from my workstation to the SMC server, not to the firewalls) will work so this is certainly ENS related. I had firewall changes to make so I had to uninstall ENS on the SMC server and leave the ENS firewall disabled on my workstation before I could make those changes. MERs from the EPO server and from the server and my workstation, were submitted to support.
I am same issues. With ENS 10.5, problem is although in local system logs i could find the blocked traffic but on EPO console i have no clue what is happening. earlier in HIPS firewall events were logged in EPO and we had an option to create 1 click expection to quickly resolve the issue. this is critical feature which is not supported on ENS. need to fix this.
1) Add a Policy catalog under Endpoint Security Firewall :Firewall > Rules > Mydefault
2) Add firewall Rule as to allow TCP ports 5900,5800 in both direction
3) Under application add file Executables path as C:\Program Files (x86)\TightVNC\* ,C:\Program Files\TightVNC
3) Save and Assign
4) for debug check log under C:\ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log