cancel
Showing results for 
Search instead for 
Did you mean: 

ENS 10.6 Firewall ignores the rules

Jump to solution

Hello Guys,

our ENS 10.6 firewall does not respect the rules and does not blocked traffic as expected. As part of troubleshooting I did create the simplest rule to block ICMP. ePO Firewall rule was created, saved and pushed to workstation. Workstation received and the rule is visible on PC. However it somehow ingnores the rule and ICMP is still allowed.

ePO -> ENS Firewall -> rules : The rule is placed almost on the top, under "McAFee core networking"

 

Here screenshot from my PC (Win7) after policy update and enforce:

firewall-pc-screenshot.png

 

Description:

description.png

 

Ping still successful:

C:\Users\perseus>ping www.google.com

Pinging www.google.com [173.194.219.103] with 32 bytes of data:
Reply from 173.194.219.103: bytes=32 time=323ms TTL=38
Reply from 173.194.219.103: bytes=32 time=221ms TTL=38
Reply from 173.194.219.103: bytes=32 time=271ms TTL=38
Reply from 173.194.219.103: bytes=32 time=140ms TTL=38

Ping statistics for 173.194.219.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 140ms, Maximum = 323ms, Average = 238ms

 

C:\ProgramData\McAfee\Endpoint Security\Logs -> FirewallEventMonitor.log -> does not show any fresh event.

Can anyone explain or advice what is wrong ?

Thank you

1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: ENS 10.6 Firewall ignores the rules

Jump to solution

Tested this on my system and found the that the "Allow outbound system applications" firewall rule is allowing SYSTEM ping.exe ICMP traffic.  This rule is part of the McAfee Core Networking rules.  See the KB91206 below for details about that group of rules.  The only way to override this would be to disable and duplicate that group of rules.  You would need to put your "block icmp" rule ABOVE this "Allow outbound system applications" firewall rule.

 

Pinging www.google.com [74.125.197.147] with 32 bytes of data:
Reply from 74.125.197.147: bytes=32 time=38ms TTL=41

 

FirewallEventMonitor.log
Time: 03/18/2019 05:14:58 PM

Event: Traffic
IP Address: 74.125.197.147
Description: SYSTEM
Path: SYSTEM
Message: Allowed Outgoing ICMP - Source 10.10.10.1 : (2048) Destination 74.125.197.147 : (0)
Matched Rule: Allow outbound system applications

 

 

KB91206 - FAQs for Endpoint Security Firewall "Disable McAfee core networking rules" feature
 
3 Replies
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: ENS 10.6 Firewall ignores the rules

Jump to solution

Please check what your Firewall Group settings are for the FW rule that it's contained in.  Your FW Group RDP-restrict-group is filter criteria for the FW rules that are contained within it, and the group might have some set criteria that doesn't match the FW rule.

If your FW group is filtering traffic that does not match the FW rule that blocks ICMP, then the rule may not work properly.  Try moving your FW rule outside of the FW group (select the FW rule and click the MOVE UP/DOWN option in the FW Rules policy menu) and see if it works then to eliminate this as the possible cause (FW rule may be configured properly be not active because of the FW Group settings).

 

Also just as a FYI, your FW Rule is blocking ECHO REPLY packets only.  You have it set to both IN and OUT, which is fine, but just be aware that a PING is an ECHO REQUEST out and ECHO REPLY in.  A common mistake regarding ICMP would be not matching up the outbound and inbound directions to the correct ICMP message type properly.  As a general rule, try setting the MESSAGE TYPE to ALL initially (which will include all ICMPv4 traffic), then once you get the FW rule working properly, you can fine tune it further (e.g., if you want to block inbound ECHO REPLIES, but not block outbound ECHO REQUESTS, or vice versa).

Re: ENS 10.6 Firewall ignores the rules

Jump to solution

thank you ktankink.

I did remove the block-icmp rule from the FW group and put it on the top.

I did set MESSAGE TYPE to ALL.

I did check for new policies and enforce policies on PC, however problem persists. I am still able to ping for example google. It does not work. Please see below the new settings:

 

firewall-pc-screenshot-2.png

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: ENS 10.6 Firewall ignores the rules

Jump to solution

Tested this on my system and found the that the "Allow outbound system applications" firewall rule is allowing SYSTEM ping.exe ICMP traffic.  This rule is part of the McAfee Core Networking rules.  See the KB91206 below for details about that group of rules.  The only way to override this would be to disable and duplicate that group of rules.  You would need to put your "block icmp" rule ABOVE this "Allow outbound system applications" firewall rule.

 

Pinging www.google.com [74.125.197.147] with 32 bytes of data:
Reply from 74.125.197.147: bytes=32 time=38ms TTL=41

 

FirewallEventMonitor.log
Time: 03/18/2019 05:14:58 PM

Event: Traffic
IP Address: 74.125.197.147
Description: SYSTEM
Path: SYSTEM
Message: Allowed Outgoing ICMP - Source 10.10.10.1 : (2048) Destination 74.125.197.147 : (0)
Matched Rule: Allow outbound system applications

 

 

KB91206 - FAQs for Endpoint Security Firewall "Disable McAfee core networking rules" feature
 
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator