0 Replies Latest reply on Jun 5, 2015 7:25 AM by brinkn

    Enable Firewall Logs on EPM2.2

    brinkn

      Hello everyone.

      I am posting this here so that others who are working with the McAfee firewall may benefit from my experience.

       

      Troubleshooting firewall blocks on a Mac is not a trivial task.  You can use adaptive move to help determine what rules you need, but the logging leaves something to be desired.  The first step is to enable logging for the Firewall product on Mac.

       

      There is a McAfee KB that explains how to do this.

      McAfee KnowledgeBase - How to enable Firewall debug logging for Endpoint Protection for Mac 2.x

       

      Basically you want to change the debug level from ERROR to INFO(or DEBUG if necessary).   At the error log level, it does not appear that any firewall denies or allows are logged.

       

      From a terminal window type the following:

           sudo sysctl kern.com_mcafee_firewall_log=4

       

      This will dump all the mcafee firewall related logs to /var/log/system.log.  After a while I found this was less then desirable and made it difficult to troubleshoot firewall problems.   I realized the best thing to do is to segregate these into their own file so we can use log rotation, compression, etc.  To do this edit the ASL config file.  This file is located in /etc/asl.conf.  It is best to edit this from the terminal using nano or someone text editor.

       

      Add the following 4 lines directly above the line that says  "# Rules for /var/log/system.log"

      #McAfee firewall log rules

      > mfefw.log mode=0640 format=bsd coalesce=0 rotate=seq compress file_max=5M all_max=50M

      ? [= Sender kernel] [A= Message MFE]  file mfefw.log

      ? [= Sender kernel] [A= Message MFE] ignore

       

      <<<<SCREENSHOT ATTACHED>>>>>>>

       

      This will send the firewall related logs to their own files in the /var/log directory and prevent them from being placed in the system.log.