I want to use WMI to get information from our clients, but mcafee firewall is blocking this.
I can't get this to work, so now I just disable the firewall, do my thing and turn it back on.
I want to bypass the firewall for a few ip addresses or find a solution to get the WMI to work with mcafee, which seems impossible to do.
Does anybody know how I can set this up?
Thanks in advance for any advice!
We use Endpoint Security 10.5
You would need to enable incoming connections on port TCP/135 to the workstations you wish to allow WMI.
You first find your firewall policy that is applied to your workstations and make a new rule to allow incoming TCP/135.
There would also be some dynamic port ranges that may need to be opened along side TCP/135 you can find out by reviewing your logs with the method below.
Ideally you would make it more secure by adding a network location that the connections will come from (The server/workstation that is sending out the WMI requests.) In Edit Rule > Networks
You can troubleshoot on your endpoint by opening up your FirewallEventMonitor log located on your workstation in c:\programdata\mcafee\Endpoint Security\Logs\ and look for any connections to TCP/135
Depending on how busy your network traffic is to the workstation i prefer to use cmtrace and watch the log in real time while trying to connect.
You can refer below link and use adaptive mode to create the rules automatically in adaptive mode on the client machine and then review which rules you need and then configure the rules as per your requirement.
How Adaptive mode affects the firewall
Using Adaptive mode
Below are the steps on how to enable adaptive mode for a single system.
1)Goto System tree, Search for the system name, select it and click on action>>agent>Edit policies on a single system>
2)Then make Product = Endpoint Security Firewall from the Product list.
3)Click on options policy--Make a duplicate of this policy so that you can revert back to the previous policy after creating the rules.
4)Then go to the newly created copy policy
5)Under Tuning Options enable adaptive mode [Note: adaptive mode is used only to configure rules, once done you can disable adaptive mode ]
6)Apply this policy for the system on which you need to create the rules.
7)Once the rules are created under ENSFW on the client machine.
8)Then click on collect and send properties on the Agent monitor so that the adaptive rules are sent back to epo.
Then you can run the server task "Endpoint Security Firewall Property Translator" so that the rules created on the client machine are listed under epo.
Then you have to goto the "Menu>>>Reporting>>>>>Firewall Client Rules" and then select the rules and add to the policies.
After following these steps if you have any queries, let us know.
FYI, the original post was over 2 years ago.
Like @DEViANCE stated, review the FirewallEventMonitor.log file for logged details regarding the network connection that WMI uses. Ref https://kc.mcafee.com/corporate/index?page=content&id=KB90662
In doing some testing with WMIC in my test environment (where ENSFW is on the remote host that I'm using the WMIC command), I am see the below network traffic used by this connection. You'll need to identify if it's the same and determine how to best configure your firewall rules to allow it securely.
Alternatively, if you want to configure the Firewall to allow all network traffic to/from specific IP addresses, you can configure them as DEFINED NETWORKS -> TRUSTED in the Firewall Options policy. This is less secure, but will accomplish what you mentioned earlier.
Apologies, didn't even notice the post date.
Some good information for the archive either way 🙂
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:
TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com