If I want one Firewall policy to have the firewall togleable and one policy where the firewall is not able to be disabled, but want to have the same Trusted Network list for both, then I have to maintain the trusted networks list in two places.
Why do you need to maintain a list of trusted networks in two places? In ENS FW, a Defined Network->Trusted network entry applies an ALLOW ALL IN/OUT for IPs listed in the Defined Networks->Trusted section. These rules are processed before the FW Rule policy is, so "trusted" networks can be (should be) placed in the ENS FW Options policy; not the ENS FW Rules policy. In HIPS, "Trusted Networks" entries did not actually allow all traffic in/out, like ENS FW does; it works similar to the ENS FW Defined Networks->Not Trusted networks (list the network entries as Not Trusted, then use those IPs in a FW Rule where Local/Remote Network = Defined Network.
Would another solution be to create a custom trusted networks Network rule in the catalog and use that instead of the built in [defined networks]/Trusted in the firewall rules?
Creating a FW Rule policy rule that ALLOW ALL IN/OUT for a list of "trusted" networks will work, but it will be applied/processed lower in the compiled FW rules on the client (e.g., meaning it will be processed below other hard coded rules, such as the GTI rules). Using 'trusted' networks in the FW Options, instead of FW Rules, will override any GTI ratings that might block routable IPs. Creating a Local/Remote Network in the ENS Firewall Catalog of your 'trusted' IPs, or just having the same list of IPs as Local/Remote Network entries with an ALLOW ALL type FW rule works the same as the Defined Networks->Trusted network rule, except that it's processed a bit later than other client-side FW rules.
I think it was a design mistake on McAfee's part to combine the Trusted Network Policy and the Options policy into a single firewall policy. It is easy to imagine a scenario where you would want to have different options but the same trusted IP list - and this design decision requires customers to maintain the Trusted IP list in multiple polcies.
Submit a Product Idea if you have ideas on how to improve product functionality.
The policy where the ability to toggle Firewall on/off is in the same policy -- ENS FW Options -- where the trusted network list is defined.
Therefore, I need to have two ENS FW Options policies --- one ENS FW Options policy with "FW toggle enabled" and one with "FW toggle is disabled"
When adding an IP address to the trusted network list. I need to add it to the ENS FW Options --- FW Toggle Enabled and the ENS FW Options -- FW Toggle Disabled.
I don't mean that I have to maintain two Trusted Network lists -- I mean I have to maintain the same list in two different ENS FW Options policies. When adding an IP it has to be added to ALL ENS FW Options policies - of which I have two so far. There could be more eventually. I might have another policy where I don't want to overwrite client-side rules. That is in the same ENS FW Options Policy. Now the Trusted list would need to be maintained in three policies, and so on.
I think to be flexible with the rules I may end up with 4 or 5 ENS Firewall Options policies (maybe one with client side rules allowed for instance) and the Trusted Network has to be maintained individually in each of those policies.
Ah I see. I would submit a Product Idea to be able to use ENS Firewall Catalog items in the ENS Options policy (e.g., DNS Blocking entries, Defined Networks, and Trusted Executables).
That would be a wonderful way to implement this. Thanks for the suggestion.
What I am doing right now, is to leave the trusted networks blank in the ENS FW Options. I then maintain a Network in FW Rules Catalog. I then have an Any/Any from/to that custom Trusted Networks as high up in the FW Rules as allowed. Its not ideal but better than what is currently in the product with regards to maintaining the list.
This was what I was thinking, if it can't be done in the Options to make it a catalog item.
I have submitted a product improvement suggestion. Looking through the list of suggestions though, I am not sure it is monitored or maintained by McAfee in a meaningful way.