cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dwee
Level 11
Report Inappropriate Content
Message 1 of 4
‎03-21-2022 08:07 AM

Firewall adaptive mode

hi ,

i have question regarding adaptive mode on ens FW, does the adaptive mode when we add it to the existing policy/rule  will only be used by the system or client detected using the adaptive rule? for example the webex application uses incoming UDP ports 1,2,3,4 used by units A,B,C,D,E,F ,
Is it only system A, B, C, D, E, F that will use that rule? or the entire system in one group with A, B, C, D, E, F (if we assumed using that added rules to the group)

0 Kudos
Reply
3 Replies
yaz
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎03-21-2022 08:55 AM

Re: Firewall adaptive mode

HI @Dwee 

Thank you for reaching out to Community.

In regards to Firewall, if UDP is blocked and if Unit A has Firewall adaptive mode enabled, then UDP traffic port will work on that unit A. 

If Firewall adaptive mode is enabled via policy, then all units will have this policy and allow the UDP traffic flow accordingly. The draw back here is all units start to trigger multiple rules.

https://docs.mcafee.com/bundle/endpoint-security-10.6.0-firewall-product-guide-windows/page/GUID-0B9...

You can refer to the product guide above. 

Was my reply helpful?

If yes, please give me a Kudo. 

If I have answered your query, Kindly mark this as solution so that together we help other community members. 

 

0 Kudos
Reply
Dwee
Level 11
Report Inappropriate Content
Message 3 of 4
‎03-22-2022 01:52 AM

Re: Firewall adaptive mode

so the adaptive client rule works just like TIE reputation ? i mean when we add to existing firewall rule it only applied to the system/unit/client that have been recorded using that port? not automatically all unit on the groups/subgroup will be applied also ?

0 Kudos
Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎03-28-2022 11:35 AM

Re: Firewall adaptive mode

Hi @Dwee 

To simplify ENS Firewall Adaptive mode functionality, its main feature is to help build your Firewall Rules policy by "learning" what network activity is happening on the Firewall client(s).  Instead of having to manually create every single firewall rule, you might need in your environment, Adaptive helps with "what's in my environment now?" list of rules to help you get started.  Those "learned" rules are then uploaded to ePO and processed, so the Firewall admin can use those rules to "build" an appropriate firewall policy.  You enable Adaptive mode on a system or group of systems in order to "learn" what application network traffic is going in/out of those systems.

Once you have a list of "learned" Firewall client rules from those clients, you will then need to review these rules to determine which need to be added to the Firewall Rules policy for your clients.  The applied Firewall Rules policy is applied to whatever firewall clients you have assigned to them.  If you've added a firewall rule for Webex (as the example you mentioned), then you will need to review all the "learned" firewall client rules and determine the "end" rule to add to your policy.  Usually, you only need to add one or a couple of rules for an application (depending on how strict you want the rules to be).  The "learned" client rules will be specific to each system that it was "learned" on, however, after adding the client rule to the Firewall Rules policy, you will need to modify the rule to reevaluate the specifics (e.g. the client rule will have the MD5 hash of the rule, which would only work for that specific Webex executable).  Unless you can guarantee that all your managed clients are running that exact same MD5 hashed executable, you might want to consider removing that attribute from the rule. Null values (or <BLANK> equals an "ANY or ALL" pattern (e.g. ignore that criteria).  Add what firewall client rules you need, and ignore the rest (which the Firewall will block once Adaptive mode is disabled and local client rules are purged by disabling the "RETAIN EXISTING CLIENT RULES" option).   Tweak the rules as needed (e.g., you don't need 10 Webex rules; consider combining rules into one or a couple, like if the remote port, or executable file path location, or IP address, etc. differs.

 

Your Firewall Rules policy will be unique to your environment, your security needs, and sometimes even by client type (servers vs workstations vs laptops).  You can use the Firewall Catalog to "share" firewall rules/groups/etc. amongst multiple firewall rules policies to help manage them more efficiently.

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC