cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3
‎08-30-2018 10:38 AM

McAfee ePO ENS Firewall 10.5 Allow Rule Bypassed

Good Afternoon Community,

I am building out and deploying the ENS 10.5 firewall for my organization and have had great success thus far.  However, I came across a rule that I have created (MICROSOFT.EXCHANGE.IMAP4SERVICE.EXE)  that is hitting the Deny All Traffic rule at the bottom of the policy. 

Example from Splunk:

08/30/2018 12:29:33 PM Event: Traffic IP Address: x.x.x.x Description: Path: E:\PROGRAM FILES\MICROSOFT\EXCHANGE SERVER\V15\CLIENTACCESS\POPIMAP\MICROSOFT.EXCHANGE.IMAP4SERVICE.EXE Message: Blocked Incoming TCP - Source x.x.x.x : (55437) Destination x.x.x.x : (1993) Matched Rule: Deny All Traffic
Collapse

Rule:

MICROSOFT.EXCHANGE.IMAP4SERVICE.EXE

Enabled

Allow

In

IPv4

TCP 

Local: 143, 993, 1024-65535

Remote: 1024-65535

Application : MICROSOFT.EXCHANGE.IMAP4SERVICE.EXE

 

I verified the path, ports, name, direction, everything is correct and the logs match what should be allowed.  The rule is part of a group (not a connection isolation or timed group) in the policy along with all of my other rules. I probably have over 100 rules altogether in this one group.  The fix I found was adding the same rule, with no changes to it, and placed it above the group so when the policy is ran against traffic it'll hit that rule first before it hits the group.. and from what I've seen it's working.  All of the other rules are working in the environment/network.  Two questions, is there a limit of firewall rules/groups that can be used in a single policy, and why is the rule working on its own and not within the group?  


HuebieHueberson

0 Kudos
Reply
2 Replies
ktankink
Employee
Employee
Report Inappropriate Content
Message 2 of 3
‎08-30-2018 01:46 PM

Re: McAfee ePO ENS Firewall 10.5 Allow Rule Bypassed

 

is there a limit of firewall rules/groups that can be used in a single policy

There is no direct limit to how many rules/groups you can have in a policy, but if you're trying to manage your entire environment with a "one size fits all" policy, then you will run into issues.  The Firewall policies being applied to your systems should be unique to that environment (e.g., if you have separate Firewall groups/rules that are unique to Desktop vs Servers, then that should be 2 (maybe more; e.g., Web vs SQL servers) polices and not a single policy where half of the rules apply to Desktops and the other half to Servers).  Same goes for other categories, like Workstations vs Laptops, etc. If you want differnet rules for different systems, build separate policies for them.  If you have some Firewall groups/rules that you want to share between policies, that's where the ENS Firewall Catalog will come in handy.  That will allow you to share groups/rules between FW Rule policies. This keeps your policies manageable and becoming too bloated.

 

why is the rule working on its own and not within the group

We would need details (e.g., the exported XML rule policy you created vs the traffic being blocked) to compare to see why the rule didn't work.  It would be best if you opened a Service Request with McAfee Support to go over those details privately outside of this public forum.   My first thought is that your Firewall Group may have filter.  In the FW Group itself, if you set any options to filter traffic, that will affect the FW Rules inside the group.  For example, if your FW Group is set to OUTBOUND traffic only, and you put a bi-direction ALLOW ALL inside this group, the FW rule will only apply to outbound traffic because the Group is limiting traffic even though the Rule allows both IN and OUT.  Same logic applies to any other Group details you might include.   This may or may not be the cause, but again, our technicians can review that issue more closely, if you can provide the details.


https://support.mcafee.com/ServicePortal/
https://www.mcafee.com/enterprise/en-us/home/contact-us.html

 

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3
‎08-31-2018 10:12 AM

Re: McAfee ePO ENS Firewall 10.5 Allow Rule Bypassed

Thank you for the quick response ktankink!

My environment has a few different firewall policies for server groups and workstation groups along with more critical server infrastructure being separated out.  This server is for general servers in the environment with Exchange being included.  However, there are several rules inside this policy.  In my previous organization we had separated out the servers and workstations into their own policies and it worked very well, especially for admin overhead being significantly reduced.  I built out all of my rules inside the firewall catalog, then put the rules into groups to place into the policies.  So pretty straight forward and thus far its worked well. 

The group that I made is only a placeholder.  I haven't put any filters on it for any specific direction or network.  I use the groups for identifying a ruleset and don't use any of the group capabilities.  I can open an SR.  I was just curious if anyone has experienced a rule not working but the rest are.  Just odd to me.  Thank you again for your help 🙂

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC