Does Linux have a log that shows blocked or allowed network traffic for the ENS Firewall for Linux? I've looked in /var/McAfee/ens/logs/fw and don't see anything like firewalleventmonitor thats in Windows.
McAfee Endpoint Security for Linux Firewall now supports both allowed and blocked traffic logging.
When Firewall allowed traffic logging is enabled, The details of all allowed traffic are logged in syslog.
By default this option is disabled.
When Firewall blocked traffic logging is enabled, the details of all traffic blocked
are logged in syslog. By default this option is enabled.
For managed systems, you can enable logging activity using the Tuning Options in the McAfee Endpoint Security
for Linux Firewall (Options) policy.
For standalone systems, you can configure log settings using command line.
Configure the Firewall allowed and blocked traffic logging for
Follow these steps to enable Firewall allowed or blocked traffic logging in standalone systems.
1 Log on to the system as a user with administrator rights.
2 Change the directory to the Firewall bin directory:
3 Run the command:
• To enable logging allowed traffic for both adaptive and regular mode:
./mfefwcli --log-allowed-traffic enable
• To enable logging blocked traffic for both adaptive and regular mode:
./mfefwcli --log-blocked-traffic enable
4 To view log settings, run the command:
i hope this will be helpful.
firewall for linux is the alternative version of hips 8.0.0 for windows.. to view firewall for linux logs.. only can be seen via /var/log/messages..
you can filter via tailf /var/log/messages and grep for deny rules
you will need to create a block rule under your endpoint policy and log traffic
I believe I read the documentation where it said /var/log/syslog and not messages. Thank you for the mention, I did see the entries in messages. I wonder if their documentation needs fixed, or if I just can't read.
Something else interesting if anyone will come back to this post:
looking in /var/McAfee/ens/fw/prefs.xml:
There's no where in the firewall options policy to define a location for logs. Most of the options policy is for windows anyway. The CLI tool doesn't give you the option to set a log location either. I tried to manually edit the xml, but it gets reset when mfefwd restarts.