1 Reply Latest reply on Aug 7, 2017 6:19 PM by sabzi

    How to quarantine user using McAfee ENS 10.5 firewall

    kho@exclusive-networks.com

      Hi, would anyone be able to share how to perform the following? Am using ENS 10.5 firewall module but how do i call the reaction in active response to activate the firewall rule?

       

      Currently i have create a firewall rule to block TCP traffic and assign a tag to the policy rule.

       

      • Network isolation: Various tools can be used to achieve network isolation.  The simplest method may be to leverage McAfee Host Intrusion Prevention or other local firewall to put in place a restrictive firewall rule set to prevent all unauthorized network activity.

      AR Reaction: More ideas

        • 1. Re: How to quarantine user using McAfee ENS 10.5 firewall
          sabzi

          You can do this using custom props and tag based assignment. Here is how it works conceptually

           

          1. On ePO we create a FW policy to quarantine.
          2. We then create a Quarantine tag
          3. We then use Policy Assignment Rules to map the Quarantine tag to the policy
          4. Using an OS command reaction script, you can use maconfig.exe to set a custom property to the McAfee agent. We use this to set custom prop 1 to Quarantine
          5. Once done, you wake up the McAfee agent using cmdagent.exe. Again this can be done in the same reaction script
          6. On communicating to ePO, the client sends its new property, which in turn assigns the new FW policy to the machine. The system then enforces the new FW policy.

           

           

          Step 2 - How to build the quarantine tag

          01.png

          02.png

           

          03.png

           

           

          Step 3 - How to assign quarantine FW policy on the quarantine tag

          04.png

           

          05.png

           

           

          Step 4 - 5 - Create custom MAR reaction

          Choose "Execute OS command"

          Paste in the following

           

          "C:\Program Files\McAfee\Agent\maconfig.exe" -custom -prop1 ""

          "C:\Program Files\McAfee\Agent\cmdagent.exe" -p