cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ZGreen
Level 10
Report Inappropriate Content
Message 11 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

I dont know why it wouldnt work. May be something is getting blocked. Look at one of the events you can see going through and create a firewall rule in the firewall policy to log it. 

JDCast11
Level 9
Report Inappropriate Content
Message 12 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Yes I'm not sure either. It's funny because on the local server, I can see the events in the ENS Console but it is not forwarding it to the ePO console. I've triple checked that everything that should be selected is selected and still nothing. Maybe the events for traffic just don't get forwarded to ePO for some reason. I've verified that nothing is being blocked in the firewall.

mmuthuga
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 13 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

When you run traffic through port 1433 from epo to sql, which rule is seen matching it in log. The matching rule should have "Log matching traffic" enabled.

chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 14 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Hi @JDCast11 

Going back to my comments as I don't see a response in regards to this:

What are your ENS and McAfee Agent policy settings set to? It's possible that the events are being generated but not forwarded. Check in ENS Common Policy what you've got set for ENSFW and in the McAfee Agent General Policy under Event Forwarding - lower the level to informational.

Also have you looked at Adaptive Mode which would be the ideal way to monitor "would be blocked" traffic?

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
JDCast11
Level 9
Report Inappropriate Content
Message 15 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

I'm sorry @chealey I thought I responded to that. The ENS common policy is set to log all Firewall Events and forward events to McAfee is selected. In the McAfee Agent General Policy I have the Event Forwarding set to informational. 

Yes I have used Adaptive to configure the baseline of my rules but I wanted to have a query as a dashboard for any blocked traffic.

chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 16 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Hmm okay... running out of options now 😄

So checklist - repeating to ensure we've covered all these points, I believe we have:

- log all blocked traffic in ENSFW Options policy is enabled

- the rule which you want to see reported in ePO is also set to "log matching traffic"

- ENS Common policy logging settings for FW have been checked

- MA Policy for Event forwarding has been checked

 

Even with these options btw you won't see any traffic that matches our catch-all rule. So do you have your own Block Traffic rule?

And finally in ePO under Server Settings > Event Filtering > do you have the event 35002 ticked?

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
JDCast11
Level 9
Report Inappropriate Content
Message 17 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution
Yes everything is properly configured, just ran through and checked again. I did notice that there seems to be a newer version out so I will have that installed and see if it was a bug with the version I am currently on.
JDCast11
Level 9
Report Inappropriate Content
Message 18 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution
Yes I have Log matching traffic enabled
JDCast11
Level 9
Report Inappropriate Content
Message 19 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

I updated the versions and still unable to receive the logs on the ePO console. Do I need to escalate this and create a ticket? 

chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 20 of 23

Re: Unable to receive network traffic logs on ePO server

Jump to solution

@JDCast11  yes - if you want to see the events, and are missing them, we need to take a look so please do raise a Service Request with us - either give us a call so we can perform a remote session with you or raise it via the Service Portal and attach a MER from the system in question.

If you decide to go down the SR route - I'd be quite interested in looking into this as well. Feel free to share the SR# with me via private message.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community