Hi @securitasis, from my testing with ENSFW 10.6.1 July Update:

Questions I've asked support about, multiple times, and I cannot seem to get a clear or consistent answer:

1. Does enabling "Log matching traffic" checkbox inside a ENS firewall rule trigger Event ID 35000 in ePO? {KT} Event ID 35000 (allow) or 35002 (blocked) will be triggered. ENS Event IDs are listed in KB85494.  Also review a known issue in KB90177 with "Log matching traffic" on generic allow/block Firewall rules.
   
   
   

   35000	event_name_35000=Traffic allowed by Firewall event_desc_35000=Traffic allowed by Firewall	Firewall
   35001	event_name_35001=Firewall intrusion detected and handled event_desc_35001=Firewall intrusion detected and handled	Firewall
   35002	event_name_35002=Traffic blocked by Firewall event_desc_35002=Traffic blocked by Firewall	Firewall
   35003	event_name_35003=Firewall added adaptive rule event_desc_35003=Firewall added adaptive rule	Firewall
   35009	event_name_35009=Firewall is disabled from Mctray event_desc_35009=Firewall is disabled from Mctray	Firewall
   35010	event_name_35010=Firewall timed groups are enabled from McTray event_desc_35010=Firewall timed groups are enabled from McTray	Firewall
   35011	event_name_35011=Firewall policy was corrupt and has been repaired event_desc_35011=Firewall policy was corrupt and has been repaired	Firewall
   35012	event_name_35012=Firewall policy has been replaced with a new copy event_desc_35012=Firewall policy has been replaced with a new copy	Firewall

   
   

   ---

   
   
   
   
   
   
   
2. Does enabling "Log matching traffic" checkbox inside a ENS firewall rule trigger an event in the ENS UI Event Log? {KT} Yes.  "Log matching traffic" triggers an ePO event, which shows in the ENS Console as Threat Category = Traffic detected.
   
   
3. Does enabling "Treat match as intrusion" checkbox inside a ENS firewall rule trigger Event ID 35001? {KT} Yes; event will show in ENS Console as Threat Category = Intrusion Detected, which is Event ID 35001
   
   
4. Does enabling "Treat match as intrusion" checkbox inside a ENS firewall rule trigger an event in the ENS UI Event Log? {KT} Yes; event will show in ENS Console as Threat Category = Intrusion Detected.
   
   
5. If both "Log matching traffic" and "Treat match as intrusion" checkboxes are enabled, are two events created in ePO for the same rule when triggered? {KT} No, the "Treat match as intrusion" event overrides the "Log matching traffic" option.
   
   
6. Is there any way to log events only in local ENS UI Event Log (like HIPS used to do natively) and not send an event to ePO? {KT} No, this is how ENS Firewall logging is designed as a difference from HIPS 8.0 Firewall.  The design is intended to review the FirewallEventMonitor.log file for allow/blocked network traffic rule matches. With HIPS 8.0 FW, the Firewall activity was written to the console because the raw event.log file was not really human readable, and had to be specifically exported (with the EXPORT button) from within the HIPS ClientUI (or converted with ClientControl.exe) to get a human readable file format (like what ENSFW has today). 
   
   
7. If "Log matching traffic" is enabled in a firewall rule and the rule is set to "Block," does that trigger Event ID 35000 in ePO?  If so, this is misleading because  the event description is "Traffic Allowed by Firewall." {KT} As above, "Log matching traffic" on a BLOCK rule is Event ID 35002.  If you are seeing this issue, please report it to McAfee Support with debug data; ref KB90662.

Also, if you would like to request changes to how ENS Firewall logging works, please submit a PER for review; ref KB60021.