Hello @halmazid. It doesn't appear to be the rules I have in place. I implemented the rules 3 days ago and the network has been functioning just fine. Earlier today is when the network went down and once I changed the firewall to it being adaptive, everything came back up. When I pulled the firewalleventmonitor log, it showed my rules allowing traffic but then a sudden change to "Block all traffic" which is the hard-coded McAfee rule. It seems to me that for some reason, the firewall started to ignore all my rules and just dropped all the way to the bottom where the "Block all traffic" rule is. Could this be a bug with the version I have?

Hello @JDCast11 
Thank you for the clarification. I've checked internally and we are un-ware of a Bug with this behavior. We might have to investigate more on this. Firewall shouldn't ignore the user defined rules but we could ensure that if its doing so, by creating the "Allow any rule" mentioned in my previous reply. Depending on this we would have to setup further investigation.

Hi @JDCast11,

Thank you for your post. We are sorry to hear this issue. Can you kindly please share any 2 blocked traffic log, event and the rule that should have allowed it based on your configured rules? This is to determine if there was any common factor that may have resulted in the change. Looks like this might be a policy related issue. May I know how many machines have been affected?

Hello @AdithyanT. Sure! Basically, I have a DNS rule to my DNS servers through TCP/UDP 53. I noticed in the log that that traffic was successfully passing but at a random point all traffic started getting block. There were no changes in the policy and it was not hitting my personally defined "DENY ALL" rule. Essentially, at some random point, the ENS Firewall for some reason switched the the default McAfee "Block all traffic" rule even though my policy was still in effect. I tried looking at the debug logs but nothing seemed off to me. I'm not certain why this happened. As of right now, I have the policy enabled again and periodically testing to see if dns is working. So far so good, it has been active for a couple hours. But as I said in my initial post, this issue took a couple days to show up.

Hi @JDCast11,

Thank you for your response. This is certainly strange that the policy you applied did not work all of a sudden and that the debug logs do not evince much information as well. I am fairly confident that the property translator task did not have much to do with this as explained by my peers above. But the issue and its nature of being random is very concerning. Can you kindly please log a Service Request so that w can investigate this better over a remote session.

If you feel that the already logged information is of no use, then may be you can wait for the issue to come up and log a ticket with us. Please ensure Debug logging is enabled via the Endpoint Security common policy. My apologies for not being of much use here as is is very necessary that we look into logs to see what is exactly happening.

Also if you can share a screengrab of the rule and it's corresponding "Block" activity in the event or log, we can perhaps try to find out if it was blocked owing to a change in the specific traffic that did not perhaps comply with the allow rule in place!

Hello, seems like the issue is no longer present. I believe that this could have been a bug when we updated our esxi host to 6.7.

Hi @JDCast11,

Glad to hear the issue is resolved, however I could not see any known issues present with respect to your scenario to explain this behavior. All said and done, I am very glad your issue is fixed and thank you for taking your time to update us! Kudos to you for the same!