I dont know why it wouldnt work. May be something is getting blocked. Look at one of the events you can see going through and create a firewall rule in the firewall policy to log it.
Yes I'm not sure either. It's funny because on the local server, I can see the events in the ENS Console but it is not forwarding it to the ePO console. I've triple checked that everything that should be selected is selected and still nothing. Maybe the events for traffic just don't get forwarded to ePO for some reason. I've verified that nothing is being blocked in the firewall.
When you run traffic through port 1433 from epo to sql, which rule is seen matching it in log. The matching rule should have "Log matching traffic" enabled.
Hi @JDCast11
Going back to my comments as I don't see a response in regards to this:
What are your ENS and McAfee Agent policy settings set to? It's possible that the events are being generated but not forwarded. Check in ENS Common Policy what you've got set for ENSFW and in the McAfee Agent General Policy under Event Forwarding - lower the level to informational.
Also have you looked at Adaptive Mode which would be the ideal way to monitor "would be blocked" traffic?
I'm sorry @Former Member I thought I responded to that. The ENS common policy is set to log all Firewall Events and forward events to McAfee is selected. In the McAfee Agent General Policy I have the Event Forwarding set to informational.
Yes I have used Adaptive to configure the baseline of my rules but I wanted to have a query as a dashboard for any blocked traffic.
Hmm okay... running out of options now 😄
So checklist - repeating to ensure we've covered all these points, I believe we have:
- log all blocked traffic in ENSFW Options policy is enabled
- the rule which you want to see reported in ePO is also set to "log matching traffic"
- ENS Common policy logging settings for FW have been checked
- MA Policy for Event forwarding has been checked
Even with these options btw you won't see any traffic that matches our catch-all rule. So do you have your own Block Traffic rule?
And finally in ePO under Server Settings > Event Filtering > do you have the event 35002 ticked?
I updated the versions and still unable to receive the logs on the ePO console. Do I need to escalate this and create a ticket?
@JDCast11 yes - if you want to see the events, and are missing them, we need to take a look so please do raise a Service Request with us - either give us a call so we can perform a remote session with you or raise it via the Service Portal and attach a MER from the system in question.
If you decide to go down the SR route - I'd be quite interested in looking into this as well. Feel free to share the SR# with me via private message.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA