Good Afternoon Community,
I am building out and deploying the ENS 10.5 firewall for my organization and have had great success thus far. However, I came across a rule that I have created (MICROSOFT.EXCHANGE.IMAP4SERVICE.EXE) that is hitting the Deny All Traffic rule at the bottom of the policy.
Example from Splunk:
Local: 143, 993, 1024-65535
Application : MICROSOFT.EXCHANGE.IMAP4SERVICE.EXE
I verified the path, ports, name, direction, everything is correct and the logs match what should be allowed. The rule is part of a group (not a connection isolation or timed group) in the policy along with all of my other rules. I probably have over 100 rules altogether in this one group. The fix I found was adding the same rule, with no changes to it, and placed it above the group so when the policy is ran against traffic it'll hit that rule first before it hits the group.. and from what I've seen it's working. All of the other rules are working in the environment/network. Two questions, is there a limit of firewall rules/groups that can be used in a single policy, and why is the rule working on its own and not within the group?
is there a limit of firewall rules/groups that can be used in a single policy
There is no direct limit to how many rules/groups you can have in a policy, but if you're trying to manage your entire environment with a "one size fits all" policy, then you will run into issues. The Firewall policies being applied to your systems should be unique to that environment (e.g., if you have separate Firewall groups/rules that are unique to Desktop vs Servers, then that should be 2 (maybe more; e.g., Web vs SQL servers) polices and not a single policy where half of the rules apply to Desktops and the other half to Servers). Same goes for other categories, like Workstations vs Laptops, etc. If you want differnet rules for different systems, build separate policies for them. If you have some Firewall groups/rules that you want to share between policies, that's where the ENS Firewall Catalog will come in handy. That will allow you to share groups/rules between FW Rule policies. This keeps your policies manageable and becoming too bloated.
why is the rule working on its own and not within the group
We would need details (e.g., the exported XML rule policy you created vs the traffic being blocked) to compare to see why the rule didn't work. It would be best if you opened a Service Request with McAfee Support to go over those details privately outside of this public forum. My first thought is that your Firewall Group may have filter. In the FW Group itself, if you set any options to filter traffic, that will affect the FW Rules inside the group. For example, if your FW Group is set to OUTBOUND traffic only, and you put a bi-direction ALLOW ALL inside this group, the FW rule will only apply to outbound traffic because the Group is limiting traffic even though the Rule allows both IN and OUT. Same logic applies to any other Group details you might include. This may or may not be the cause, but again, our technicians can review that issue more closely, if you can provide the details.
Thank you for the quick response ktankink!
My environment has a few different firewall policies for server groups and workstation groups along with more critical server infrastructure being separated out. This server is for general servers in the environment with Exchange being included. However, there are several rules inside this policy. In my previous organization we had separated out the servers and workstations into their own policies and it worked very well, especially for admin overhead being significantly reduced. I built out all of my rules inside the firewall catalog, then put the rules into groups to place into the policies. So pretty straight forward and thus far its worked well.
The group that I made is only a placeholder. I haven't put any filters on it for any specific direction or network. I use the groups for identifying a ruleset and don't use any of the group capabilities. I can open an SR. I was just curious if anyone has experienced a rule not working but the rest are. Just odd to me. Thank you again for your help 🙂