cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ShawnB
Level 7
Report Inappropriate Content
Message 1 of 3
‎03-28-2019 01:31 PM

Firewall Policies on NSM 8.3 not working

Good Day All,

I am new to the community, but new to McAfee products.

I have a NSP NS-7200 and NSM 8.3.7.7.

I have it monitoring among other places, the traffic inboud to my outside firewall

I am seeing some suspicious RDP traffic from Russia and Latvia. Specifically RDP: Microsoft Windows RDP Server Abnormal Termination

So I have set a I have set a Firewall policy to deny and log the traffic from source address Latvia and Russia to the destination IP address

I have set the firewall Rules to send to a syslog server and sent test logs and confirm that the syslog is receiving. as per this community thread

https://community.mcafee.com/t5/Network-Security-Platform-NSP/Where-i-can-find-the-firewall-events-i...

After saving and deploying  the policy to the sensor, I am still seeing the attack show up on my dashboard and analyzer several hours later, so I am thinking that the rule is NOT working. The syslog does not show any entries either

Any assistance on this?

0 Kudos
Reply
2 Replies
dfdfdgsdgfsf
Level 7
Report Inappropriate Content
Message 2 of 3
‎03-29-2019 05:25 AM

Re: Firewall Policies on NSM 8.3 not working

What version of code is the Sensor running?

Can you attach an image of the firewall rule you created and show us where/how it is assigned? 

As a side note, it is not recommended that you use the Sensors as an edge device. They should reside on the trusted side of the firewall.

0 Kudos
Reply
ShawnB
Level 7
Report Inappropriate Content
Message 3 of 3
‎04-08-2019 09:36 AM

Re: Firewall Policies on NSM 8.3 not working

Thanks for your reply

The sensor is software version: 8.3.5.32 Signature Set 9.8.42.3

The rule as follows

McAfee FW rule.jpg

Thanks for the advice on the sensor edge facing. I do have it this way to at least be able to see the attacks on my public facing IP addresses, its reported better than my CheckPoint firewall provides. Also my firewalls are virtual, so it makes it a bit harder to configure the interfaces on the internal trusted side. I'll keep it in mind though for a reconfiguration.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC