Hello ZGreen. It seems that all other threat events seem to be reporting correctly. I am just unable to get the actual traffic being passed through the ENS Firewall to show up in a query or report. 

So the events are showing in the logs just not the query? If thats the case how much information are you looking for in the query?

Hi @JDCast11 

Thank you for posting on the Community.

What you are trying to achieve is not something recommended as it will negatively impact the performance of your clients and will overload your database with large numbers of events.

If you wish to configure the FW to report the network traffic, please see the following taken from the ENS FAQ page: KB86704

How do I configure Endpoint Security Firewall network traffic logging?
Within the Endpoint Security Firewall Options policy, enable the Log all allowed or Log all blocked options. Endpoint Security Firewall will log blocked and allowed network traffic to the \ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file. If you want to generate ePolicy Orchestrator events for allowed or blocked network traffic, enable the Log matching traffic option in a specific firewall rule. Be aware that generic, high event-generation rules can cause performance issues. See KB90177 for more information.

NOTE: Endpoint Security Firewall log functionality does not allow for only specific firewall rules to be logged to the FirewallEventMonitor.log file. 

Thanks for your reply. That's what I'm having trouble with right now. My FirewallEventMonitor is logging correctly but I can't view the events on the ePO console itself which is what I was trying to do. I have selected the log matching traffic option and still have not seen any events in the actual ePO console. I understand that it will create many events but I plan to limit it to certain ports to see where traffic is blocked. Is the only way to view all network traffic to just go to the servers and pull up the FirewallEventMonitor log?

Hi @JDCast11 

If you look at the ENS Console, do you see the events in there or not at all?

What are your ENS and McAfee Agent policy settings set to? It's possible that the events are being generated but not forwarded. Check in ENS Common Policy what you've got set for ENSFW and in the McAfee Agent General Policy under Event Forwarding - lower the level to informational.

Indeed, we would suggest looking at the FirewallEventMonitor Log - or alternatively the best way to configure your FW is to use adaptive mode. This will then report any "would be blocked" traffic to ePO and based on these entries you can create rules to allow that traffic.  

Yes I have threat events from things such as Threat Prevention but not the Firewall. I just wanted to avoid having to log into every individual server to view the logs. I verified that I have All Firewall events log selected in the EndPoint Security Common and informational for the McAfee Agent. Still unable to get events. 

Test I'm running is trying to catch traffic through port 1433 from epo to sql. That is not showing up in the console but is in the local log.

What options do you have for ENS commons policy under event logging for firewall? Its not going to log that traffic unless you actually select all. 

Hey @ZGreen. Yes I have that selected and still no dice 😞