cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sanba06c
Level 10
Report Inappropriate Content
Message 1 of 8

How to turn on logging mode for Firewall on ePO?

Jump to solution

Hello,

Can you instruct me how to enable logging for Firewall component on ePO? When I viewed Firewall events report on the ePO, the content was empty. Whereas, the logging function of other components of ENS are fine.

Thank you.

1 Solution

Accepted Solutions
vivs
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

Hello @sanba06c 

Thanks for your post.

Please refer the below screenshot:

FWLOG.PNG

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

7 Replies
vivs
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

Hello @sanba06c 

Thanks for your post.

Please refer the below screenshot:

FWLOG.PNG

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

sanba06c
Level 10
Report Inappropriate Content
Message 3 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

@vivs, Thank you for the useful solution! Btw, What kind of events should I choose if I just want to log only blocked events? For example, "Critical" and "Alert" only?

vivs
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

Hello @sanba06c 

Thanks for your response.

afaik, It should be "Critical" and "Alert" only.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

sanba06c
Level 10
Report Inappropriate Content
Message 5 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

@vivs, I still find the "Endpoint Security Firewall: Traffic block events" report empty.

ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

Hi @sanba06c Did you see my earlier response?  Ref https://community.mcafee.com/t5/Endpoint-Security-ENS/How-to-turn-on-logging-mode-for-Firewall-on-eP...


Do you have any custom Firewall rules created that have the "Log matching traffic" option set?  If that is enabled, and that firewall rule is triggered on the client, it will generate an Event ID 35000 (Allow) or 35002 (Block) back to the ePO server (depending on what action you chose in the rule).  Those events should be seen in the default Firewall queries; if not check the  Threat Events for that specific Agent node within its properties.

sanba06c
Level 10
Report Inappropriate Content
Message 7 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

@ktankink, I had read through your previous comment, but not paid careful attention to that. Now, I can see that option to enable firewall logging. However, in my case, the rule is like "deny all" other than customized one. I can read the log by viewing the client log directly, but this way seems inconvenient.

ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: How to turn on logging mode for Firewall on ePO?

Jump to solution

Hi @sanba06c The ENS Firewall does not log all blocked network traffic by default.  Doing so requires that you enable the "Log matching traffic" or "Treat as intrusion" option inside the firewall rules you create, however, be aware that too much 'generic' logging of BLOCKED or ALLOWED network traffic can cause issues.  Please reference the KB below.

 

KB90177 - Enabling the 'Treat match as intrusion' or 'Log matching traffic' logging options might cause high CPU use
https://kc.mcafee.com/corporate/index?page=content&id=KB90177

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community