cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Elvinas
Level 8
Report Inappropriate Content
Message 1 of 4
‎08-22-2022 07:08 AM

Firewall event log grouping

Jump to solution

Hello,

Had a few questions regarding blocked traffic logs shown in the FirewallEventMonitor.log as seen on some other tread it is possible to turn on so that these would be displayed in UI as events in ePO. (tread: https://communitym.trellix.com/t5/Endpoint-Security-ENS/Firewall-Events-not-showing-in-in-GUI-Event-...)

In the log most of the observed entries fall under "Matched Rule: Block all traffic" if they were to be turned on, would there be a possibility to differentiate them more, or would all be under the same event?

Any idea on how much additional space could these events could take?

Thanks in advance for any information.

0 Kudos
Reply
1 Solution

Accepted Solutions
rfranci
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎08-22-2022 11:50 AM

Re: Firewall event log grouping

Jump to solution

Hi @Elvinas ,

Thankyou for reaching us on community !

If you want all block events to be sent to EPO then, you will have to enable this in ENS common options policy for firewall to report 'All' events because the 'traffic blocked by firewall' event falls under "info" category. By default only 'critical and alert' category events are sent to EPO.

With that said, it is important to note that this configuration is not recommended all the time. Because, ENS firewall is designed with a hard coded rule to "block all traffic" and that will generate thousands of events at a time and this is capable of breaking your SQL server If you are using EPO onprime with SQL .

You can imagine rules arranged in a stack.
When a traffic is generated, ENS firewall compares the traffic with each and every rule in the firewall rules policy -rules stack in top-down approach.

The "block all traffic" rule is hard coded to be at the bottom of the stack.

So any allow or block rule that is configured by you or that comes by default is given preference . All the other traffic that doesn't match any rules in the rule stack of firewall rules policy makes its way to bottom of the stack and finally that traffic is blocked by 'block all traffic' rule.

Let say you have another rule at the top of the stack to block port 3389 and you name the rule as "block remote". once the policy applied to a machine and if you try to RDP into that machine, the traffic will be blocked by ENS firewall based on the rule "block remote" created by you . So, in the FirewallEventMonitor.log  you will see the logging as "Matched Rule: block remote" 

By default FirewallEventMonitor.log must take only 10 MB of space on disk and the logs will roll over very fast if there is a lot of traffic that is getting generated. The rate of speed at which this logs can rollover depends upon the number of traffic that is getting generated and whether you have 'log all blocked traffic' only enabled or even 'log all allowed traffic' as well.

I hope this helps.

-Rohit Francis 
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

Reply
3 Replies
rfranci
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎08-22-2022 11:50 AM

Re: Firewall event log grouping

Jump to solution

Hi @Elvinas ,

Thankyou for reaching us on community !

If you want all block events to be sent to EPO then, you will have to enable this in ENS common options policy for firewall to report 'All' events because the 'traffic blocked by firewall' event falls under "info" category. By default only 'critical and alert' category events are sent to EPO.

With that said, it is important to note that this configuration is not recommended all the time. Because, ENS firewall is designed with a hard coded rule to "block all traffic" and that will generate thousands of events at a time and this is capable of breaking your SQL server If you are using EPO onprime with SQL .

You can imagine rules arranged in a stack.
When a traffic is generated, ENS firewall compares the traffic with each and every rule in the firewall rules policy -rules stack in top-down approach.

The "block all traffic" rule is hard coded to be at the bottom of the stack.

So any allow or block rule that is configured by you or that comes by default is given preference . All the other traffic that doesn't match any rules in the rule stack of firewall rules policy makes its way to bottom of the stack and finally that traffic is blocked by 'block all traffic' rule.

Let say you have another rule at the top of the stack to block port 3389 and you name the rule as "block remote". once the policy applied to a machine and if you try to RDP into that machine, the traffic will be blocked by ENS firewall based on the rule "block remote" created by you . So, in the FirewallEventMonitor.log  you will see the logging as "Matched Rule: block remote" 

By default FirewallEventMonitor.log must take only 10 MB of space on disk and the logs will roll over very fast if there is a lot of traffic that is getting generated. The rate of speed at which this logs can rollover depends upon the number of traffic that is getting generated and whether you have 'log all blocked traffic' only enabled or even 'log all allowed traffic' as well.

I hope this helps.

-Rohit Francis 
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Reply
Elvinas
Level 8
Report Inappropriate Content
Message 3 of 4
‎08-23-2022 06:06 AM

Re: Firewall event log grouping

Jump to solution

@rfranci 

Thank you for the detailed response. Found it quite helpful.

0 Kudos
Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 4 of 4
‎08-22-2022 12:05 PM

Re: Firewall event log grouping

Jump to solution

Hi @Elvinas 

Please be aware of this KB below.  Logging excessive events to the ePO server (which includes the ENS console Events menu) can cause issues.

KB90177 - Enabling the 'Treat match as intrusion' or 'Log matching traffic' logging options might cause high CPU use
https://kcm.trellix.com/corporate/index?page=content&id=KB90177

 

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC