I am having an issue with the ENS Firewall blocking all traffic. For some reason, it completely ignored all rules I had in place and settled at "Block all traffic". It is very strange as the same traffic and ports would be allowed through but suddenly start getting completely blocked. This is a major issue as it brought down my network due to DNS being blocked. I noticed in the audit log that a task named "EndPoint Security Firewall Property Translator" ran at the same time all traffic started getting blocked.
Version of Agent: 18.104.22.168
ENS Platform: 10.7.0.1285
ENS Firewall: 10.7.0.945
Since it brought all the communication down, I would recommend you to disable the Firewall on the affected machines for now.
Note: Make sure the Firewall rule policy applied to the affected machines is not a blank policy with only core McAfee rules(Default rules).
Once its disabled, we need to test on a single machine that was affected by enabling the Firewall and adding an "Allow any Policy" and place it at the top. If this works, it would confirm that Firewall component is functioning properly and rules has to be adjusted.
Test by using an ALLOW ANY policy
To implement an ALLOW ANY policy, you must modify the Endpoint Security Firewall, Options, and Rules policies with the settings described below.
You could also refer the article https://kc.mcafee.com/corporate/index?page=content&id=KB90662 for more troubleshooting steps.
The Firewall Property translator task wouldn't affect the Firewall rules, as it just Translates Firewall client rules in the client properties stored in the McAfee ePO database, and adds them to the Firewall Client Rules page.
It cannot automatically remove or add rules to the policies.
Hello @halmazid. It doesn't appear to be the rules I have in place. I implemented the rules 3 days ago and the network has been functioning just fine. Earlier today is when the network went down and once I changed the firewall to it being adaptive, everything came back up. When I pulled the firewalleventmonitor log, it showed my rules allowing traffic but then a sudden change to "Block all traffic" which is the hard-coded McAfee rule. It seems to me that for some reason, the firewall started to ignore all my rules and just dropped all the way to the bottom where the "Block all traffic" rule is. Could this be a bug with the version I have?
Thank you for the clarification. I've checked internally and we are un-ware of a Bug with this behavior. We might have to investigate more on this. Firewall shouldn't ignore the user defined rules but we could ensure that if its doing so, by creating the "Allow any rule" mentioned in my previous reply. Depending on this we would have to setup further investigation.
Thank you for your post. We are sorry to hear this issue. Can you kindly please share any 2 blocked traffic log, event and the rule that should have allowed it based on your configured rules? This is to determine if there was any common factor that may have resulted in the change. Looks like this might be a policy related issue. May I know how many machines have been affected?
Hello @AdithyanT. Sure! Basically, I have a DNS rule to my DNS servers through TCP/UDP 53. I noticed in the log that that traffic was successfully passing but at a random point all traffic started getting block. There were no changes in the policy and it was not hitting my personally defined "DENY ALL" rule. Essentially, at some random point, the ENS Firewall for some reason switched the the default McAfee "Block all traffic" rule even though my policy was still in effect. I tried looking at the debug logs but nothing seemed off to me. I'm not certain why this happened. As of right now, I have the policy enabled again and periodically testing to see if dns is working. So far so good, it has been active for a couple hours. But as I said in my initial post, this issue took a couple days to show up.
Thank you for your response. This is certainly strange that the policy you applied did not work all of a sudden and that the debug logs do not evince much information as well. I am fairly confident that the property translator task did not have much to do with this as explained by my peers above. But the issue and its nature of being random is very concerning. Can you kindly please log a Service Request so that w can investigate this better over a remote session.
If you feel that the already logged information is of no use, then may be you can wait for the issue to come up and log a ticket with us. Please ensure Debug logging is enabled via the Endpoint Security common policy. My apologies for not being of much use here as is is very necessary that we look into logs to see what is exactly happening.
Also if you can share a screengrab of the rule and it's corresponding "Block" activity in the event or log, we can perhaps try to find out if it was blocked owing to a change in the specific traffic that did not perhaps comply with the allow rule in place!
Glad to hear the issue is resolved, however I could not see any known issues present with respect to your scenario to explain this behavior. All said and done, I am very glad your issue is fixed and thank you for taking your time to update us! Kudos to you for the same!