The best way to understand CAG processing is to read the documentation and keep in mind there is also the "isolate this connection" option. I forget exactly where, but somewhere in the docs there is a flowchart explaining the processing order that really helps explain CAG processing. Sorry it's not a better answer and please don't take this as an "RTFM" as that is not my intention here
As taken from the CAG doco. (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20747/en_US/...)
Can more than one CAG be active at the same time?
Yes. The Host IPS firewall is adapter aware and can apply different CAGs to different interfaces at the same time. As interfaces are connected and present themselves to Windows, the firewall begins tracking traffic through them and applying the appropriate rules.
Can I have more than one isolated CAG in the firewall policy?
Yes. If no active NIC matches the first CAG’s criteria, the firewall skips the CAG and continues analyzing against the rules that follow the CAG. Because the first CAG was skipped, the fact that it was set to isolate is ignored. For examples on configuring isolated CAGs, please refer to t
McAfee Host Intrusion Prevention 7.0 Product Guide."
Keep in mind that as soon as a CAG matches where "isolated" is checked, no further processing applies. That CAG will be processed as if it is the last ruleset in the policy.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center