cancel
Showing results for 
Search instead for 
Did you mean: 

Endpoint Security for Mac Firewall debug log files

Jump to solution

I am just trying to  understand if there is any instructions/manual how to interpret these ENS MAC debug log events.

 

See how to enable and open the debug files in MAC:

https://community.mcafee.com/t5/Endpoint-Security-ENS/Endpoint-Security-for-Mac-Firewall-log-files/m...

 

See example

I can't say if the traffic outgoing ipv4-src=192.168.43.64" ipv4-dst = 192.168.43.1" was allowed or blocked and if so by what rule in the firewall policy? This is what I have in debug logs

 

 

2018-12-19 15:34:40.911138+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"/////////////////////////////////////"

2018-12-19 15:34:40.911150+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Direction --> Outgoing"

2018-12-19 15:34:40.911156+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"ipv4-src=192.168.43.64"

2018-12-19 15:34:40.911161+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"ipv4-dst = 192.168.43.1"

2018-12-19 15:34:40.911167+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"ParseDNSRequest - DNS Request"

2018-12-19 15:34:40.911177+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Firewall_Check_State_Table - IPPROTO_UDP: srcPort = 36937, destPort = 53"

2018-12-19 15:34:40.911187+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"IsIPInLocalSubnet - Local Subnet match found in local address interface store."

2018-12-19 15:34:40.911193+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Find_All_Connections - Searching again with directed broadcast."

2018-12-19 15:34:40.911201+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Find_All_Connections - Searching again with limited broadcast."

2018-12-19 15:34:40.911207+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Entry is not matched in state table (MISS), so looking in RuleSet"

2018-12-19 15:34:40.911215+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - Default group"

2018-12-19 15:34:40.911223+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"3d5b2a34-3b8b-bc62-4d63-477569447e00"

2018-12-19 15:34:40.911229+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroupMatchList - Entry for group - Default group"

2018-12-19 15:34:40.911233+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911239+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Match - direction - evaluated to TRUE"

2018-12-19 15:34:40.911287+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911294+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Jumping to target group."

2018-12-19 15:34:40.911302+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"275be69b-3bc2-bc72-4d64-477569447e00"

2018-12-19 15:34:40.911308+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - McAfee core networking"

2018-12-19 15:34:40.911315+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"275be69b-3bc2-bc72-4d64-477569447e00"

2018-12-19 15:34:40.911321+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroupMatchList - Entry for group - McAfee core networking"

2018-12-19 15:34:40.911325+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911330+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Match - direction - evaluated to TRUE"

2018-12-19 15:34:40.911334+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911340+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Rule transport protocol - 1 not matching."

2018-12-19 15:34:40.911347+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup- match 0 evalauted to FALSE"

2018-12-19 15:34:40.911352+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Rule transport protocol - 1 not matching."

2018-12-19 15:34:40.911357+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup- match 0 evalauted to FALSE"

2018-12-19 15:34:40.911364+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleMatchList - Entry for rule name - McAfee-Allow Bootp"

2018-12-19 15:34:40.911367+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911374+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleMatchList - MatchList evaluated to FALSE, breaking"

2018-12-19 15:34:40.911379+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup- match 1 evalauted to FALSE"

2018-12-19 15:34:40.911386+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleMatchList - Entry for rule name - McAfee-Allow DNS Resolution"

2018-12-19 15:34:40.911389+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911396+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch -  PORT - 53 -FW_ADDRESS_TYPE_SINGLE - Match evaluated to TRUE"

2018-12-19 15:34:40.911400+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Entry"

2018-12-19 15:34:40.911405+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"EvaluateMatch - Match - direction - evaluated to TRUE"

2018-12-19 15:34:40.911411+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Check_RuleSet - IPPROTO_UDP

"

2018-12-19 15:34:40.911417+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: DEBUG"Firewall_Insert_State_Entry - Before RB_INSERT direction - 1

"

2018-12-19 15:34:40.911425+0100 0x43e3     Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"Firewall_Check_IPV4_Connection - Final action ->0"

2018-12-19 15:34:40.912684+0100 0x426      Default     0x0                  0      0    kernel: (SFKext) MFE_SFW: INFO"/////////////////////////////////////"

 

 

 

1 Solution

Accepted Solutions

Re: Endpoint Security for Mac Firewall debug log files

Jump to solution

Looks as if the logs are checking two groups:

McAfee Core Networking | Default Group 

Based on the below information:

2018-12-19 15:34:40.911308+0100 0x43e3 Default 0x0 0 0 kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - McAfee core networking"

I'd recommend looking in ePO and checking your policy to see if the traffic is explicitly blocked. If it's not blocked, I would think the traffic would be allowed to go through the firewall. I'm not as familiar with ENS FIrewall logs, but I'm not seeing anything showing the traffic as being dropped / denied.

1 Reply

Re: Endpoint Security for Mac Firewall debug log files

Jump to solution

Looks as if the logs are checking two groups:

McAfee Core Networking | Default Group 

Based on the below information:

2018-12-19 15:34:40.911308+0100 0x43e3 Default 0x0 0 0 kernel: (SFKext) MFE_SFW: DEBUG"EvaluateRuleGroup - Entry for group - McAfee core networking"

I'd recommend looking in ePO and checking your policy to see if the traffic is explicitly blocked. If it's not blocked, I would think the traffic would be allowed to go through the firewall. I'm not as familiar with ENS FIrewall logs, but I'm not seeing anything showing the traffic as being dropped / denied.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.