2 Replies Latest reply on Jan 24, 2011 7:48 PM by kjabney

    Problems with connection-aware groups and dns suffix

      We are having a problem with the firewall and a set of rules that use a connection aware group based on a DNS suffix.

       

      I have copied the 'Client High' group and added a connection aware group.  This is based on any connection type and a DNS suffix of 'ourdomain.com'.  In this group I have set a rule to allow all IP protocols in/out.  However, when I apply this rule to the machine I can't ping anything on the internal network.  The dns is working because it resolves whatever I am pinging but it doesn't get any reply.

       

      Any ideas what I am doing wrong?

       

      Thanks!

        • 1. Re: Problems with connection-aware groups and dns suffix

          Reviewing old posts:

           

          Re. CAGs, I've just edited KB65560 to make it external.  This should republish externally within a couple days.

          For the mean time, start with this:

           


          Troubleshooting Host Intrusion Prevention Connection Aware Groups

          Summary
          This article explains the major log entries to assist in troubleshooting a Host Intrusion Prevention agent for Windows, Firewall Connection Aware Group.

          The following are requirements for troubleshooting any Connection Aware Group (CAG) on a Windows client:  
          1. Enable Firewall debug logging via Host Intrusion Prevention 7.0 console (or within the Host Intrusion Prevention policy stored in ePolicy Orchestrator (ePO)):

            Via the ePO console:

            1. Log on to the ePO 4.0 console.
            2. Click Systems.
            3. Select the computer that you want to enable Firewall debug logging on and click the Policies tab.
            4. Select Host Intrusion Prevention 7.0.3:General from the Product drop-down.
            5. Click My Default for the Client UI (Windows) entry under Category.
            6. Click the Troubleshooting tab.
            7. Select one of the message type entries (Information, Warning, Error, Debug) for the Firewall logging entry.

              NOTE:
              Selecting Debug logs all message.
               
            8. Click Save.
               
          2. Click Start, Run, type explorer and click OK.
          3. Navigate to:  c:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention\
          4. Reivew the FireSvc.log file, looking for entries regarding the Connection Aware Group.

            NOTE: Host Intrusion Prevention clients for Linux or Solaris do not have a firewall component, only IPS.


          As an example, use the FireSvc.log information below to determine the local network adapter configuration and the CAG rule configuration. Then identify which network adapters match the CAG rule.

          The Adapters Info section of the log displays how the local adapters are configured:

          02/02/2009 16:46:09 LOCPOLCY[649] VERBOSE  >>>>>>>>>>>>>> Adapters Info >>>>>>>>>>>>>>>>
          02/02/2009 16:46:09 LOCPOLCY[651] VERBOSE  Num adapters 3
          02/02/2009 16:46:09 LOCPOLCY[655] VERBOSE  Adapter 1
          02/02/2009 16:46:09 LOCPOLCY[656] VERBOSE   Physical Address: 44-45-53-54-42-00
          02/02/2009 16:46:09 LOCPOLCY[663] VERBOSE   Physical Medium: Wired
          02/02/2009 16:46:09 LOCPOLCY[672] VERBOSE   Dns suffix:
          02/02/2009 16:46:09 LOCPOLCY[675] VERBOSE   Num IP addresses 0
          02/02/2009 16:46:09 LOCPOLCY[691] VERBOSE   Default Gateway: 0000:0000:0000:0000:0000:FFFF:FFFF:FFFF/00-00-00-00-00-00
          02/02/2009 16:46:09 LOCPOLCY[701] VERBOSE   DHCP Server: missing
          02/02/2009 16:46:09 LOCPOLCY[713] VERBOSE   Primary WINS: missing
          02/02/2009 16:46:09 LOCPOLCY[720] VERBOSE   Secondary WINS: missing
          02/02/2009 16:46:09 LOCPOLCY[726] VERBOSE   Num DNS Servers 0

          This section of the log displays how Connection Aware Groups are configured:

          02/02/2009 16:46:09 LOCPOLCY[56] VERBOSE  >>>>>> Calculate Effective Connection Aware Groups (CAG) Policy >>>>>>
          02/02/2009 16:46:09 LOCPOLCY[481] VERBOSE  >>>>>>>>>>>>>> Prefs Locations >>>>>>>>>>>>>>>>>>
          02/02/2009 16:46:09 LOCPOLCY[482] VERBOSE  Num prefs locations: 1
          02/02/2009 16:46:09 LOCPOLCY[486] VERBOSE  Location ID 0
          02/02/2009 16:46:09 LOCPOLCY[487] VERBOSE   Description Test CAG Group
          02/02/2009 16:46:09 LOCPOLCY[488] VERBOSE   Firewall rule start index 9
          02/02/2009 16:46:09 LOCPOLCY[489] VERBOSE   Firewall rule count 0
          02/02/2009 16:46:09 LOCPOLCY[502] VERBOSE   Type Any
          02/02/2009 16:46:09 LOCPOLCY[507] VERBOSE   Requires home network is disabled
          02/02/2009 16:46:09 LOCPOLCY[510] VERBOSE   Block non-matching NICs is disabled
          02/02/2009 16:46:09 LOCPOLCY[516] VERBOSE   IP list:
          02/02/2009 16:46:09 LOCPOLCY[774] VERBOSE    Subnet 0000:0000:0000:0000:0000:FFFF:AC10:0200/119
          02/02/2009 16:46:09 LOCPOLCY[540] VERBOSE   DNS suffix list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[557] VERBOSE   Gateway list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[573] VERBOSE   DHCP list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[587] VERBOSE   DNS1 list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[601] VERBOSE   DNS2 list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[615] VERBOSE   Primary WINS list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[629] VERBOSE   Secondary WINS list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[632] VERBOSE  <<<<<<<<<<<<<< Prefs Locations <<<<<<<<<<<<<<<<<<
          Finally, this section of the log displays which local network adapters are currently active for a Connection Aware Group:

          02/02/2009 16:46:09 LOCPOLCY[791] INFO     >>>>>>>>>>>>>> Currently Active Connection Aware Groups >>>>>>>>>>>>>>>>
          02/02/2009 16:46:09 LOCPOLCY[803] INFO     Number of active Connection Aware Groups 1
          02/02/2009 16:46:09 LOCPOLCY[809] INFO     Connection Aware Group ID 0
          02/02/2009 16:46:09 LOCPOLCY[810] INFO      Connection Aware Group name: Test CAG Group
          02/02/2009 16:46:09 LOCPOLCY[811] INFO      Number of rules 0
          02/02/2009 16:46:09 LOCPOLCY[812] INFO      Rules start index 9
          02/02/2009 16:46:09 LOCPOLCY[813] INFO      Number of matching adapters 1
          02/02/2009 16:46:09 LOCPOLCY[819] INFO      Adapter 1
          02/02/2009 16:46:09 LOCPOLCY[820] INFO        00-0d-60-6e-0e-84
          02/02/2009 16:46:09 LOCPOLCY[827] INFO        Physical Address Valid TRUE
          02/02/2009 16:46:09 LOCPOLCY[831] INFO        172.16.3.247
          02/02/2009 16:46:09 LOCPOLCY[834] INFO        0000:0000:0000:0000:0000:FFFF:AC10:03F7
          02/02/2009 16:46:09 LOCPOLCY[839] INFO     <<<<<<<<<<<<<< Currently Active Connection Aware Groups <<<<<<<<<<<<<<<<

          Additional information:
          The local network adapters will be configured in IPv6 format. To convert from IPv6 to IPv4 format, take the last 8 bits of the IPv6 address list and convert from Hex to Decimal to get the IPv4 address.

          NOTE: Use Windows calc.exe in "Scientific" mode to convert Hex to Decimal.

          Example:

          02/02/2009 16:46:09 IPHLPR [1554] VERBOSE   IP address list:
          02/02/2009 16:46:09 IPHLPR [1557] VERBOSE    0000:0000:0000:0000:0000:FFFF:AC10:03F7/23

          HexDecimal
          AC172
          1016
          033
          F7247
          /23subnet: 255.255.254.0


          ====================================
          The network adapter medium is also listed.
          Physical Medium: Wired
          Physical Medium: Wireless
          ====================================


          For clients running McAfee Agent 4.0 Patch 1 and Host Intrusion Prevention 7.0 Patch 3 or higher which are managed by the Host Intrusion Prevention 7.0.3 Extension for ePO 4.0 or higher:

          The ePO server must be reachable via this connection entry in the Connection Aware Group (CAG) configuration. The rules in the CAG should be enforced only if the CAG criteria are matched AND the ePO server can be resolved via DNS query over any interface.

          This section of the log displays how Connection Aware Groups are configured and that the Requires home network option will be enabled:

          02/02/2009 16:46:09 LOCPOLCY[56] VERBOSE  >>>>>> Calculate Effective Connection Aware Groups (CAG) Policy >>>>>>
          02/02/2009 16:46:09 LOCPOLCY[481] VERBOSE  >>>>>>>>>>>>>> Prefs Locations >>>>>>>>>>>>>>>>>>
          02/02/2009 16:46:09 LOCPOLCY[482] VERBOSE  Num prefs locations: 1
          02/02/2009 16:46:09 LOCPOLCY[486] VERBOSE  Location ID 0
          02/02/2009 16:46:09 LOCPOLCY[487] VERBOSE   Description Test CAG Group
          02/02/2009 16:46:09 LOCPOLCY[488] VERBOSE   Firewall rule start index 9
          02/02/2009 16:46:09 LOCPOLCY[489] VERBOSE   Firewall rule count 0
          02/02/2009 16:46:09 LOCPOLCY[502] VERBOSE   Type Any

          02/02/2009 16:46:09 LOCPOLCY[507] VERBOSE   Requires home network is enabled
          02/02/2009 16:46:09 LOCPOLCY[510] VERBOSE   Block non-matching NICs is disabled
          02/02/2009 16:46:09 LOCPOLCY[516] VERBOSE   IP list:
          02/02/2009 16:46:09 LOCPOLCY[774] VERBOSE    Subnet 0000:0000:0000:0000:0000:FFFF:AC10:0200/119
          02/02/2009 16:46:09 LOCPOLCY[540] VERBOSE   DNS suffix list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[557] VERBOSE   Gateway list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[573] VERBOSE   DHCP list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[587] VERBOSE   DNS1 list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[601] VERBOSE   DNS2 list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[615] VERBOSE   Primary WINS list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[629] VERBOSE   Secondary WINS list is disabled.
          02/02/2009 16:46:09 LOCPOLCY[632] VERBOSE  <<<<<<<<<<<<<< Prefs Locations <<<<<<<<<<<<<<<<<<

          02/02/2009 16:46:09 LOCPOLCY[1164] VERBOSE  (3272) amOnHomeNetwork() - we are on the home network.
          02/02/2009 16:46:09 LOCPOLCY[791] INFO     >>>>>>>>>>>>>> Currently Active Connection Aware Groups >>>>>>>>>>>>>>>>
          02/02/2009 16:46:09 LOCPOLCY[803] INFO     Number of active Connection Aware Groups 1
          02/02/2009 16:46:09 LOCPOLCY[809] INFO     Connection Aware Group ID 0
          02/02/2009 16:46:09 LOCPOLCY[810] INFO      Connection Aware Group name: Test CAG Group
          02/02/2009 16:46:09 LOCPOLCY[811] INFO      Number of rules 0
          02/02/2009 16:46:09 LOCPOLCY[812] INFO      Rules start index 9
          02/02/2009 16:46:09 LOCPOLCY[813] INFO      Number of matching adapters 1
          02/02/2009 16:46:09 LOCPOLCY[819] INFO      Adapter 1
          02/02/2009 16:46:09 LOCPOLCY[820] INFO        00-0d-60-6e-0e-84
          02/02/2009 16:46:09 LOCPOLCY[827] INFO        Physical Address Valid TRUE
          02/02/2009 16:46:09 LOCPOLCY[831] INFO        172.16.3.247
          02/02/2009 16:46:09 LOCPOLCY[834] INFO        0000:0000:0000:0000:0000:FFFF:AC10:03F7
          02/02/2009 16:46:09 LOCPOLCY[839] INFO     <<<<<<<<<<<<<< Currently Active Connection Aware Groups <<<<<<<<<<<<<<<<

          • 2. Re: Problems with connection-aware groups and dns suffix
            kjabney

            Our CAG rules based on DNS suffix aren't working. We've tried with and without wildcards (e.g., *.mydomain.com, corporate.mydomain.com). I used your test notes below and notice two similarities - both your results and my results show DNS Suffix: "   blank     ". My Number of active Connection Aware Groups shows "0" (explains why the CAG rules themselves don't work).

             

            Question is - what sets the DNS Suffix? What/where is the f/w looking for/at? We have DNS Suffix names on the computer properties, DNS properties, GPO's, DHCP...I can't find anywhere that doesn't have a DNS suffix configured.

             

            Thanks,

             

            Ken