I am trying to have a central place where I can see all traffic being passed through the ENS Firewall. All the required policies are configured to forward events to ePO as well as having selected all Firewall events are logged. I also have on the rule itself to log on each occurrence and to log all allowed and blocked traffic. Essentially, I want to avoid having to navigate to every one of my servers to pull up the FirewallEventMonitor.log to see what is being blocked. I also have tried creating a query to try and pull the events but that was unsuccessful. It did pull some events but all of them were old. Any help is appreciated.
I am running ePO 5.10 update 6 with the latest ENS and Firewall updates.
Solved! Go to Solution.
Good news! So I was able to finally receives the events to the ePO console. The issue was that the eventparser service currently has a bug on 5.10 update 6. Basically, it just stops parsing events. I have submitted an RTS to receive the fix to this. Thanks everyone for their assistance on this. Following the steps @Former Member outlined should have events showing up if you don't have update 6 installed. I
Hello ZGreen. It seems that all other threat events seem to be reporting correctly. I am just unable to get the actual traffic being passed through the ENS Firewall to show up in a query or report.
Thank you for posting on the Community.
What you are trying to achieve is not something recommended as it will negatively impact the performance of your clients and will overload your database with large numbers of events.
If you wish to configure the FW to report the network traffic, please see the following taken from the ENS FAQ page: KB86704
How do I configure Endpoint Security Firewall network traffic logging?
Within the Endpoint Security Firewall Options policy, enable the Log all allowed or Log all blocked options. Endpoint Security Firewall will log blocked and allowed network traffic to the \ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file. If you want to generate ePolicy Orchestrator events for allowed or blocked network traffic, enable the Log matching traffic option in a specific firewall rule. Be aware that generic, high event-generation rules can cause performance issues. See KB90177 for more information.
NOTE: Endpoint Security Firewall log functionality does not allow for only specific firewall rules to be logged to the FirewallEventMonitor.log file.
Thanks for your reply. That's what I'm having trouble with right now. My FirewallEventMonitor is logging correctly but I can't view the events on the ePO console itself which is what I was trying to do. I have selected the log matching traffic option and still have not seen any events in the actual ePO console. I understand that it will create many events but I plan to limit it to certain ports to see where traffic is blocked. Is the only way to view all network traffic to just go to the servers and pull up the FirewallEventMonitor log?
If you look at the ENS Console, do you see the events in there or not at all?
What are your ENS and McAfee Agent policy settings set to? It's possible that the events are being generated but not forwarded. Check in ENS Common Policy what you've got set for ENSFW and in the McAfee Agent General Policy under Event Forwarding - lower the level to informational.
Indeed, we would suggest looking at the FirewallEventMonitor Log - or alternatively the best way to configure your FW is to use adaptive mode. This will then report any "would be blocked" traffic to ePO and based on these entries you can create rules to allow that traffic.
Yes I have threat events from things such as Threat Prevention but not the Firewall. I just wanted to avoid having to log into every individual server to view the logs. I verified that I have All Firewall events log selected in the EndPoint Security Common and informational for the McAfee Agent. Still unable to get events.
Test I'm running is trying to catch traffic through port 1433 from epo to sql. That is not showing up in the console but is in the local log.