Loading...

Knowledge Center


How to troubleshoot an application or network traffic when using Endpoint Security Firewall
Technical Articles ID:   KB90662
Last Modified:  7/9/2019
Rated:


Environment

McAfee Endpoint Security (ENS) Firewall 10.x

Summary

Recent updates to this article
Date Update
 July 8, 2019 Added KB90837 for ENS McAfee GTI Network Reputation troubleshooting.


Third-party applications being blocked by ENS Firewall:
If the ENS Firewall blocks a third-party application from functioning properly, contact the third-party application vendor support team and request documentation about the specific network traffic that should be allowed through the ENS Firewall. The third-party vendor website might also contain documentation about the needed network traffic needed by the application. With the documented network traffic requirements, you can create firewall rules to allow the network traffic through the ENS Firewall for the third-party application to function properly.


Use the following steps to troubleshoot an application or network traffic when using ENS Firewall:
  1. Enable debug logging for the ENS Firewall module
  2. Enable the "Log all blocked traffic" and "Log all allowed traffic" firewall logging options
  3. Test by enabling the ENS Firewall Adaptive mode feature
  4. Test by using an ALLOW ANY policy
  5. Test by allowing unsupported protocols
  6. Test by disabling the McAfee GTI Network Reputation functionality
  7. Test by disabling the GTI "Block all untrusted executables" functionality
  8. Test by disabling the "Allow only outgoing traffic until firewall services have started" feature
  9. Test by disabling the McAfee core networking rules
  10. Collect data using McAfee Minimum Escalation Requirements (MER), FWInfo, AMTrace tools, and network capture software


Enable debug logging for the ENS Firewall module
  • For ePolicy Orchestrator (ePO) managed systems:
    1. Open the ePO console.
    2. Edit the Endpoint Security Common, Options policy.
    3. Click Show Advanced.
    4. Select Enable for Firewall under the Debug Logging section.
    5. Save the policy.
       
  • For standalone systems that are not managed by ePO:
    1. Open the ENS console from the McAfee Agent system tray icon, or by running the application "\Program Files (x86)\McAfee\Endpoint Security\Endpoint Security Platform\MFEConsole.exe".
    2. Click the Firewall module or click the down arrow in the top-right corner, and then click Settings.

      NOTE: You might need to first unlock the ENS console using Administrator Log On.
       
    3. Click the Common section.
    4. Click Show Advanced.
    5. Select Enable for Firewall under the Debug Logging section.
    6. Click Apply.

Enable the "Log all blocked traffic" and "Log all allowed traffic" firewall logging options
  1. Enable the Log all blocked traffic and Log all allowed traffic firewall logging options:
    • For ePO managed systems:
      1. Open the ePO console.
      2. Edit the Endpoint Security Firewall, Options policy.
      3. Click Show Advanced.
      4. Select Log all blocked traffic and Log all allowed traffic under the Tuning Options section.
      5. For Global Threat Intelligence (GTI) related activities, select Log matching traffic under the McAfee GTI Network Reputation section.
      6. Save the policy.
         
    • For standalone systems that are not managed by ePO:
      1. Open the ENS console.
      2. Open the Firewall module settings.
      3. Select Log all blocked traffic and Log all allowed traffic under the Tuning Options section.
      4. For Global Threat Intelligence (GTI) related activities, select Log matching traffic under the McAfee GTI Network Reputation section.
      5. Click Apply.
         
  2. Reproduce the issue.
  3. Review the FirewallEventMonitor.log file, located in the directory \ProgramData\McAfee\Endpoint Security\Logs\, for details about the blocked and allowed network traffic.

Test by enabling the ENS Firewall Adaptive mode feature
Be aware of the limitations of the ENS Firewall Adaptive mode feature. There are conditions where the ENS Firewall cannot automatically create client rules. See the relevant Endpoint Security Product Guide for details. For example, the "FAQ - Adaptive mode" section of the Endpoint Security 10.6.0 Firewall Product Guide (PD27580).
For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.
  1. Edit the Endpoint Security Firewall, Options policy from the ePO console or the ENS console.
  2. Click Show Advanced.
  3. Select Enable Adaptive mode (creates rules on the client automatically) under the Tuning Options section.
  4. Apply the modified policy to the client and retest the issue. If the issue is resolved, continue to the next step. If the issue is not resolved, continue to the next section.
  5. Open the ENS console and open the Firewall menu.
  6. Scroll down to the Rules section and review the Adaptive firewall group.
  7. Expand the Adaptive firewall group and review the client rules to determine why the new rules were created. Firewall client rules might be created for various reasons. Modify the existing rules as needed, or create new firewall rules in the policy, if other firewall rules exist in the policy for that specific application or network traffic. If you believe that the rules were created in error, contact Technical Support for further investigation. See the "Related Information" section for contact details.
Back to top

Test by using an ALLOW ANY policy
To implement an ALLOW ANY policy, you must modify the Endpoint Security Firewall, Options, and Rules policies with the settings described below.
  1. Edit the Endpoint Security Firewall, Options policy as follows, using the ePO console or the ENS console:
    1. Click Show Advanced.
    2. In the Firewall section, select Enable Firewall.
    3. In the Protection Options section, configure the following options:
      • Allow traffic for unsupported protocols - Enabled
      • Allow only outgoing traffic until firewall services have started - Disabled
      • Allow bridged traffic - Enabled
    4. In the Tuning Options section, configure the following options:
      • Enable Adaptive mode - Disabled
      • Disable McAfee core networking rules - Enabled
        NOTE: McAfee recommends that this feature remain enabled; disabling McAfee core networking rules might disrupt network communications on the client.
      • Log all blocked traffic - Enabled
      • Log all allowed traffic - Enabled
    5. In the McAfee GTI Network Reputation section, configure the following options:
      • Treat McAfee GTI match as intrusion - Disabled
      • Log matching traffic - Enabled
      • Block all untrusted executables - Disabled
      • Incoming network-reputation threshold - Do not block
      • Outgoing network-reputation threshold - Do not block
      • For ENS 10.6.0 and later, the McAfee GTI ratings server is not reachable and no configuration is required.
    6. In the DNS Blocking section, no configuration is needed.
    7. In the Defined Networks section, no configuration is required.
    8. In the Trusted Executables section, no configuration is required.
  2. Edit the Endpoint Security Firewall, Rules policy as follows from the ePO console or the ENS console:
    1. Click Add Rule.
    2. In the Description section, configure the following settings:
      • Name - ALLOW ANY
      • Status - Enable rule
      • Actions - Allow
      • Treat match as intrusion - Disabled
      • Log matching traffic  - Disabled
      • Direction - Either
    3. In the Networks section, configure the following settings:
      • Network protocol - Any protocol
      • Connection types - Select all types shown.
      • Specify Networks - No configuration is needed.
    4. In the Transport section, configure the following setting:
      • Transport protocol: All protocols
    5. In the Applications section, no configuration is needed.
    6. In the Schedule section, configure the following setting:
      • Enable schedule - Disabled
         
  3. Retest the issue.

    If the issue is resolved, expand all firewall rule groups in the named policy and analyze each of the firewall rules from the top down. Pay special attention to those rules that have BLOCK as the action. Based on this review, move the Any-Any rule down to various positions in the rule set. If a rule is not located, add the proper rule to the firewall policy set and retest. If you do this several times and retest the issue, you might be able to determine which rule is blocking the application.

    NOTE: Verify that the application details match the executable details appropriately. For example, the File description value must be the exact application description; this value is not a comment value for the application. See KB71735 for details.

Test by allowing unsupported protocols
Enable the Allow traffic for unsupported protocols option in the Endpoint Security Firewall, Options policy, and retest to check whether this action resolves the issue.


Test by disabling the McAfee GTI Network Reputation functionality
Set the Incoming network-reputation threshold and Outgoing network-reputation threshold to Do not block in the Endpoint Security Firewall, Options policy, and then retest to confirm whether this action resolves the issue. The McAfee GTI Network Reputation feature processes network traffic before the other firewall rules contained in the Firewall Rules policy, which might contain an Allow Any-Any firewall rule. If network traffic is being blocked by the McAfee GTI Network Reputation functionality, see KB90837 for further details.



Test by disabling the GTI "Block all untrusted executables" functionality
Disable the Block all untrusted executables option in the Endpoint Security Firewall, Options policy, and then retest to confirm whether this action resolves the issue. This feature blocks all executables that are not signed or have an unknown GTI reputation. For details about this feature, see KB90096. Network traffic blocked by this feature is logged in the FirewallEventMonitor.log file with the entry: Matched Rule:  Executable verification Rule.
 

Test by disabling the "Allow only outgoing traffic until firewall services have started" feature
Disable the Allow only outgoing traffic until firewall services have started option in the Endpoint Security Firewall, Options policy, and then retest to check whether this action resolves the issue. This feature creates a set of hard-coded Firewall rules in the kernel during Windows boot time, which are removed when the ENS services have fully started. These rules can block application network traffic during the Windows start process, which can cause issues. See KB90765 for a known issue with this feature after you uninstall the ENS Firewall module.

Back to top

Test by disabling the McAfee core networking rules
McAfee core networking rules allow some types of basic network traffic. For details about these rules, see the McAfee core networking rule group in the Endpoint Security Firewall, Rules policy. If you have a BLOCK or ALLOW rule that is not blocking network traffic properly, enable the Disable McAfee core networking rules option in the Endpoint Security Firewall, Options policy. Retest to confirm whether this action resolves the issue. With the ENS logging option Log all blocked enabled, the FirewallEventMonitor.log file must document the applicable rule names from the McAfee core networking rules group when any of these rules block or allow network traffic.

NOTE: McAfee does not recommend that you disable McAfee core network rules because it might cause network communication issues on the client, as noted when you enable this feature in the user interface: "Disabling McAfee core networking rules could disrupt network communications on the client."

 
Collect data using McAfee Minimum Escalation Requirements (MER), FWInfo, AMTrace tools, and network capture software
Some advanced firewall issues might require a network packet trace while the issue is reproduced. When needed, capture two sets of data; one with the issue and the other without the issue, to provide a working and non-working scenario. You can compare the traces to determine any differences with network packet traffic. A set of data from a non-working scenario is usually the minimum required, unless directed otherwise by Technical Support.
  1. Install network capture software on the test client.

    NOTE: Network capture issues have occurred in the past with the WinPcap software included with Wireshark. NETRESEC RawCap (www.netresec.com/?page=RawCap) is an alternative network capture software that you can use to avoid these issues.
     
  2. Obtain the McAfee AMTrace tool from KB86691.
  3. Enable debug logging within the ENS product. See KB86691.
  4. Enable the Log all blocked traffic and Log all allowed traffic logging options in the Firewall Options policy. Because of the increased activity of logging more network traffic, you might need to adjust the ENS log size limits (although this adjustment is usually not needed). Adjust the following ENS logging options in the ENS Common Options policy if needed:
    • Limit size (MB) of each of the debug log files - default size is 50 MB
    • Limit size (MB) of each of the activity log files - default size is 10 MB
  5. Start capturing a network trace.
  6. Start the AMTrace tool. There are multiple ways to run the AMTrace tool. Either run amtrace.exe to start or stop the tool manually, or use the following command-line switches:
    • To start: AMTrace.exe -b now -m 2GB
    • To stop: AMTrace -e
  7. Reproduce the issue.

    NOTE: Document the precise date and time of the issue being reproduced, for Technical Support log review.
     
  8. Stop the network trace capture.
  9. Stop the AMTrace tool.
  10. Collect a MER file from the system. The MER must include the ENS Firewall log files \ProgramData\McAfee\Endpoint Security\Logs\Firewall*.log
  11. Collect appropriate network traffic and application details:
    • Source and destination IP addresses, including any other related network address details, if needed.
    • Source and destination port numbers, if applicable.
    • Application executable details, for example, vendor name, installation path, executable path, and file name.
    • Date and time of issue reproduction.
    • Any relevant BLOCK or ALLOW entries from the ENS Firewall log files, if applicable.
  12. At times, an exported copy of the ENS Firewall policies is needed for thorough analysis. The needed Firewall policies are usually the Firewall Rules or Options policies. If you can provide these policies for Technical Support to review, export them from the ePO console Policy Catalog menu, not the Firewall Catalog menu. Export the policies as policy XML files.
  13. Collect FWInfo data:
    1. Open a command prompt as an Administrator. For example, if you use Windows 10, type CMD in the Start search box, right-click Command Prompt, select Run as administrator, and click Yes.
    2. At the Administrator command prompt, run the following commands:

      ipconfig /all > c:\ipconfig.txt

      NOTE: fwinfo is located at: C:\Program Files\Common Files\McAfee\SystemCore\fwinfo.exe.
       
      fwinfo -configdisplay > c:\fwinfo-configdisplay1.txx
      fwinfo -ipconfig > c:\fwinfo-ipconfig1.txt
      fwinfo -policydisplayxml > c:\fwinfo-policydisplayxml1.txt


      NOTE: Run the following command on Windows Vista SP1 or later systems. The command creates a file named wfpstate.xml. Rename the file to wfpstate1.xml.

      netsh wfp show state
       
  14. Contact Technical Support and provide the data collected above for further analysis. See the "Related Information" section for contact details.
Back to top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.