cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How to quarantine user using McAfee ENS 10.5 firewall

Jump to solution

Hi, would anyone be able to share how to perform the following? Am using ENS 10.5 firewall module but how do i call the reaction in active response to activate the firewall rule?

Currently i have create a firewall rule to block TCP traffic and assign a tag to the policy rule.

  • Network isolation: Various tools can be used to achieve network isolation.  The simplest method may be to leverage McAfee Host Intrusion Prevention or other local firewall to put in place a restrictive firewall rule set to prevent all unauthorized network activity.

1 Solution

Accepted Solutions
McAfee Employee sabzi
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How to quarantine user using McAfee ENS 10.5 firewall

Jump to solution

You can do this using custom props and tag based assignment. Here is how it works conceptually

  1. On ePO we create a FW policy to quarantine.
  2. We then create a Quarantine tag
  3. We then use Policy Assignment Rules to map the Quarantine tag to the policy
  4. Using an OS command reaction script, you can use maconfig.exe to set a custom property to the McAfee agent. We use this to set custom prop 1 to Quarantine
  5. Once done, you wake up the McAfee agent using cmdagent.exe. Again this can be done in the same reaction script
  6. On communicating to ePO, the client sends its new property, which in turn assigns the new FW policy to the machine. The system then enforces the new FW policy.

Step 2 - How to build the quarantine tag

01.png

02.png

03.png

Step 3 - How to assign quarantine FW policy on the quarantine tag

04.png

05.png

Step 4 - 5 - Create custom MAR reaction

Choose "Execute OS command"

Paste in the following

"C:\Program Files\McAfee\Agent\maconfig.exe" -custom -prop1 ""

"C:\Program Files\McAfee\Agent\cmdagent.exe" -p

1 Reply
McAfee Employee sabzi
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How to quarantine user using McAfee ENS 10.5 firewall

Jump to solution

You can do this using custom props and tag based assignment. Here is how it works conceptually

  1. On ePO we create a FW policy to quarantine.
  2. We then create a Quarantine tag
  3. We then use Policy Assignment Rules to map the Quarantine tag to the policy
  4. Using an OS command reaction script, you can use maconfig.exe to set a custom property to the McAfee agent. We use this to set custom prop 1 to Quarantine
  5. Once done, you wake up the McAfee agent using cmdagent.exe. Again this can be done in the same reaction script
  6. On communicating to ePO, the client sends its new property, which in turn assigns the new FW policy to the machine. The system then enforces the new FW policy.

Step 2 - How to build the quarantine tag

01.png

02.png

03.png

Step 3 - How to assign quarantine FW policy on the quarantine tag

04.png

05.png

Step 4 - 5 - Create custom MAR reaction

Choose "Execute OS command"

Paste in the following

"C:\Program Files\McAfee\Agent\maconfig.exe" -custom -prop1 ""

"C:\Program Files\McAfee\Agent\cmdagent.exe" -p

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community