7 Replies Latest reply on Apr 11, 2017 12:55 AM by johnmoe

    ENS firewall security reports options

    rbalaa

      Hello,

       

      What kind of security reports can I view from ePO console with regards to the Firewall? For example the number of matching rule hit in total OR which system got compromised the most. Basically is there any tips on how to get a better overview of our system under the firewall?

       

      Thank you.

        • 1. Re: ENS firewall security reports options
          johnmoe

          Once the ENS Firewall extension is installed into ePO, you should have new reports available under McAfee Groups --> Endpoint Security that start with "Endpoint Security Firewall:".  Of note are "Events in the last 24 hours", "Intrusion events in the last 24 hours", and "Traffic block events in the last 24 hours".  Those should get you started, and if you duplicate one and create a new query, you should be able to edit the new query to modify things like timeframe or event types.

          • 2. Re: ENS firewall security reports options
            rbalaa

            Thanks. I found the options you mentioned, however nothing seems to be uploading to the dashboard. Where should I be checking to make sure the firewall logs are being updated. I did set the options to "Treat McAfee GTI match as intrusion" and "Log matching traffic" just to see if that is what I needed to ensure logs are being uploaded to the console, however I have not seen any data yet.

            • 3. Re: ENS firewall security reports options
              johnmoe

              Do you mean there's no data in them?  Because I wasn't, but I figured it was a problem with my install; this server has been upgraded several times over the years, and changed hands a few times, so I've been slowly cleaning it up again.  But if you don't see anything either, then I'll log a call to see about getting it sorted out and report back.

              • 4. Re: ENS firewall security reports options
                rbalaa

                Yes exactly, it says "No data found". Not all of the queries but most of the them, especially the ones that are usefull like "event in the last 24 hours" etc...

                • 5. Re: ENS firewall security reports options
                  johnmoe

                  Ok, raising a case with McAfee; will let you know what they come back with.

                   

                  I've got data in "Compliance Status", "Errors", and "Status", but no others; is it the same for you?

                  • 6. Re: ENS firewall security reports options
                    rbalaa

                    I've also got data in "Compliance Status" and didn't have data anywhere else. However just now, I have one entry in "Events in the last 24 hours" and "Intrusion events in the last 24 hours". Again only one entry.

                     

                    The reason I started looking into this is when I saw this post:

                     

                    ePO Dashboard - GTI Host Firewall Events

                     

                    I'm looking to understand better how to build these tables. The reports listed from that post are very helpful. But it's over lots of time, I understand that, I just want to make sure I've set things up correctly. I'm using the pre-defined queries built into ePO. Is there a user community where we can download templates of these queries?

                    • 7. Re: ENS firewall security reports options
                      johnmoe

                      Have finally gotten resolution from support.  Basically, there are no events because no rules are set to "Treat match as intrusion" or "Log matching traffic" by default, even the default "Block Any Any" rule at the bottom that doesn't show have this.  So until you tell it to log something, it won't.  To test, we had gone into the client, reset the settings to default, and created a specific rule to block firefox.exe to port 80, and selected the "Log matching traffic" option.  I then opened Firefox, which unsurprisingly couldn't browse, and went back to the client and saw the events.  Sent the events back to ePO, and I now have client events in my queries.

                       

                      For the client rule count queries, these aren't the rules that are on the client; these are rules *created* by the client, either through the GUI or through Adaptive mode.  So even though I had quite a few rules being pushed to each client, these aren't the rules that these queries show, and since I'm overwriting client side rules and not running in adaptive mode, there's nothing there to display.