cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Endpoint Security for Mac Firewall debug log files

Jump to solution

I am just trying to  understand if there is any instructions/manual how to interpret these ENS MAC debug log events.

 

See how to enable and open the debug files in MAC:

https://community.mcafee.com/t5/Endpoint-Security-ENS/Endpoint-Security-for-Mac-Firewall-log-files/m...

 

See example

I can't say if the traffic outgoing ipv4-src=192.168.43.64" ipv4-dst = 192.168.43.1" was allowed or blocked and if so by what rule in the firewall policy? This is what I have in debug logs

 

 

2018-12-19 15:34:40.911138+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"/////////////////////////////////////"

2018-12-19 15:34:40.911150+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Direction --> Outgoing"

2018-12-19 15:34:40.911156+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"ipv4-src=192.168.43.64"

2018-12-19 15:34:40.911161+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"ipv4-dst = 192.168.43.1"

2018-12-19 15:34:40.911167+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"ParseDNSRequest - DNS Request"

2018-12-19 15:34:40.911177+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Firewall_Check_State_Table - IPPROTO_UDP: srcPort = 36937, destPort = 53"

2018-12-19 15:34:40.911187+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"IsIPInLocalSubnet - Local Subnet match found in local address interface store."

2018-12-19 15:34:40.911193+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Find_All_Connections - Searching again with directed broadcast."

2018-12-19 15:34:40.911201+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Find_All_Connections - Searching again with limited broadcast."

2018-12-19 15:34:40.911207+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Entry is not matched in state table (MISS), so looking in RuleSet"

2018-12-19 15:34:40.911215+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - Default group"

2018-12-19 15:34:40.911223+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"3d5b2a34-3b8b-bc62-4d63-477569447e00"

2018-12-19 15:34:40.911229+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroupMatchList - Entry for group - Default group"

2018-12-19 15:34:40.911233+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911239+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Match - direction - evaluated to TRUE"

2018-12-19 15:34:40.911287+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911294+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Jumping to target group."

2018-12-19 15:34:40.911302+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"275be69b-3bc2-bc72-4d64-477569447e00"

2018-12-19 15:34:40.911308+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - McAfee core networking"

2018-12-19 15:34:40.911315+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"275be69b-3bc2-bc72-4d64-477569447e00"

2018-12-19 15:34:40.911321+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroupMatchList - Entry for group - McAfee core networking"

2018-12-19 15:34:40.911325+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911330+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Match - direction - evaluated to TRUE"

2018-12-19 15:34:40.911334+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911340+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Rule transport protocol - 1 not matching."

2018-12-19 15:34:40.911347+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup- match 0 evalauted to FALSE"

2018-12-19 15:34:40.911352+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Rule transport protocol - 1 not matching."

2018-12-19 15:34:40.911357+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup- match 0 evalauted to FALSE"

2018-12-19 15:34:40.911364+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleMatchList - Entry for rule name - McAfee-Allow Bootp"

2018-12-19 15:34:40.911367+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911374+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleMatchList - MatchList evaluated to FALSE, breaking"

2018-12-19 15:34:40.911379+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup- match 1 evalauted to FALSE"

2018-12-19 15:34:40.911386+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleMatchList - Entry for rule name - McAfee-Allow DNS Resolution"

2018-12-19 15:34:40.911389+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911396+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch -  PORT - 53 -FW_ADDRESS_TYPE_SINGLE - Match evaluated to TRUE"

2018-12-19 15:34:40.911400+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911405+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Match - direction - evaluated to TRUE"

2018-12-19 15:34:40.911411+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Check_RuleSet - IPPROTO_UDP

"

2018-12-19 15:34:40.911417+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Insert_State_Entry - Before RB_INSERT direction - 1

"

2018-12-19 15:34:40.911425+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Firewall_Check_IPV4_Connection - Final action ->0"

2018-12-19 15:34:40.912684+0100 0x426      Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"/////////////////////////////////////"

 

 

 

1 Solution

Accepted Solutions
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Endpoint Security for Mac Firewall debug log files

Jump to solution

Looks as if the logs are checking two groups:

McAfee Core Networking | Default Group 

Based on the below information:

2018-12-19 15:34:40.911308+0100 0x43e3 Default 0x0 0 0 kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - McAfee core networking"

I'd recommend looking in ePO and checking your policy to see if the traffic is explicitly blocked. If it's not blocked, I would think the traffic would be allowed to go through the firewall. I'm not as familiar with ENS FIrewall logs, but I'm not seeing anything showing the traffic as being dropped / denied.

1 Reply
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Endpoint Security for Mac Firewall debug log files

Jump to solution

Looks as if the logs are checking two groups:

McAfee Core Networking | Default Group 

Based on the below information:

2018-12-19 15:34:40.911308+0100 0x43e3 Default 0x0 0 0 kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - McAfee core networking"

I'd recommend looking in ePO and checking your policy to see if the traffic is explicitly blocked. If it's not blocked, I would think the traffic would be allowed to go through the firewall. I'm not as familiar with ENS FIrewall logs, but I'm not seeing anything showing the traffic as being dropped / denied.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community