This article provides detailed information about the ENS Firewall feature "Disable McAfee core networking rules".

Recent updates to this article

Date	Update
February 14, 2022	Updated the FAQ "Should I disable the core networking group for testing or production use?" that McAfee Enterprise doesn’t recommend that you disable core networking rules.

What is the ENS Firewall "Disable McAfee core networking rules" feature and its purpose?
This feature contains the core networking rules. It includes firewall rules to allow several types of network traffic related to:

• Critical system processes
• McAfee Enterprise applications
• DHCP
• Domain Name System (DNS)
• Loopback
• Broadcast

 
What firewall rules are included in the "McAfee core networking" group?
The following firewall rules are included the "McAfee core networking" group:

NOTE: With ENS Firewall 10.7.0 and later, the multiple "Allow McAfee signed applications" firewall rules listed below have been merged into a single firewall rule.

• Allow outbound system applications - Allows outbound network traffic for the Windows SYSTEM executable process.
• Allow ARP traffic - Allows inbound and outbound network traffic for ARP (Address Resolution Protocol) packets (Ethernet Protocol 0x806).
• Allow EAPOL traffic - Allows inbound and outbound network traffic for EAPOL (Extensible Authentication Protocol over LAN) packets (Ethernet Protocol 0x888E).
• Allow outbound stock applications - Allows outbound network traffic for Windows critical processes (for example, services.exe, svchost.exe, lsass.exe, userinit.exe, winlogon.exe, alg.exe, spoolsv.exe, and dns.exe).
• Allow McAfee signed applications - Allows inbound and outbound network traffic related to McAfee Enterprise products based on signer certificate value.
• Allow McAfee signed applications 2 - Allows inbound and outbound network traffic related to McAfee Enterprise products based on signer certificate value.
• Allow McAfee signed applications 3 - Allows inbound and outbound network traffic related to McAfee Enterprise products based on signer certificate value.
• Allow McAfee signed applications 4 - Allows inbound and outbound network traffic related to McAfee Enterprise products based on signer certificate value.
• Allow outbound ICMPv4 traffic - Allows outbound network traffic related to the ICMPv4 transport protocol.
• Allow outbound ICMPv6 traffic - Allows outbound network traffic related to the ICMPv6 transport protocol.
• Allow outbound DNS traffic - Allows outbound network traffic related to remote host UDP Port 53 (default port for DNS resolution).
• Allow inbound traffic from special IP addresses - Allows inbound network traffic for the special IP address 0.0.0.0 (IPv4 and IPv6). For more information, see this article on special IP address 0.0.0.0.
• Allow outbound loopback and broadcast traffic - Allows outbound network traffic related to IPv4/IPv6 loopback and broadcast traffic.
• Allow reserved IP traffic - Allows inbound and outbound network traffic for the RESERVED Transport Protocol 255 (0xFF). For more information, see this article on IP protocol numbers.
• Allow outbound BOOTP traffic - Allows outbound network traffic for BOOTP and DHCP traffic (UDP port 67 and 68).
• Allow outbound DHCPv6 traffic - Allows outbound network traffic for DHCPv6 traffic (UDP port 546 and 547).

 
Why is "Disable McAfee core networking rules" available as a selectable feature in the ENS Firewall Options policy?
For customers that don't want to use this group of firewall rules, ENS allows the ability to disable them through ePolicy Orchestrator (ePO) policy or local configuration. When you enable the "Disable McAfee core networking rules" feature, the pop-up message Disabling McAfee core networking rules could disrupt network communications on the client displays in the ePO server and the local ENS client console. This message is a warning about potential network disruption issues. By disabling this group of firewall rules, you might (although not guaranteed) experience network communication issues. These firewall rules allow critical Windows processes and their related network traffic. If they're disabled, it might affect features or functionality related to these processes. For example, printer jobs, interaction with DNS servers, and user logons. Perform thorough tests if this feature is enabled to make sure that there are no issues. 

Another important reason is to prevent the ENS Firewall from blocking McAfee Agent and other McAfee Enterprise product network traffic. If a firewall policy issue occurs, for example, a poorly implemented or corrupt policy, the ENS Firewall must always allow McAfee Agent communications to the ePO server to obtain new policy updates and resolve policy-related issues. If the firewall didn't have this feature, the potential alternatives would be twofold. The firewall could permanently block ePO server and McAfee Agent communications and policy updates, or not allow the system to connect to any networks. Either alternative might require manual intervention to the local system to remedy the issue.
 

After I enable the "Disable McAfee core networking rules" feature, why are all firewall rules inside the McAfee core networking group not disabled?
This behavior is by design. The main core networking group itself remains enabled, while some of the firewall rules are disabled. Other critical firewall rules aren't disabled though. This design is to prevent the ENS Firewall from blocking the following specific types of critical application and non-application network traffic that could potentially cause major outages. Examples are a system that is unable to connect or obtain an IP address from the local network.

• Always allow network communications for McAfee Agent and other McAfee-signed applications.
• Always allow ARP network traffic.
• Always allow BOOTP and DHCP (UDP port 67 and 68) traffic for systems to obtain an IP address dynamically (if not using static IP address assignments).

 
Which core networking firewall rules aren't disabled when I enable the "Disable McAfee core networking rules" feature?
The following rules aren't disabled:

• Allow ARP traffic
• Allow McAfee signed applications
• Allow McAfee signed applications 2
• Allow McAfee Esigned applications 3
• Allow McAfee signed applications 4
• Allow outbound BOOTP traffic

Can I modify or delete the core networking group or any of the firewall rules within the group?
Currently, modification of these rules isn't an available feature. You can only enable or disable the group of firewall rules (with the above stated limitations).


If I enable the "Disable McAfee core networking rules" feature, what issues might arise?
Disabling this group of firewall rules might cause certain network traffic for critical processes to be blocked. Firewall configuration changes might be needed within the Firewall Options or Firewall Rules policy. The changes depend on what type of network traffic is blocked and how you want to allow the network traffic. For example, do you want to create specific firewall rules to allow the traffic, or allow it by generic Trusted Executable or Defined Networks (Trusted) rules.


Should I disable the core networking group for testing or production use?
Some customers might want to more tightly control network traffic via firewall rules. For example, allow DNS-related traffic to only specific DNS server IP addresses. So, disabling the core networking group is an option. But, McAfee Enterprise doesn’t recommend that you disable core networking rules. It might cause network communication issues on the client, as noted with the pop-up message that occurs when you enable this feature in the user interface:
 
Be aware of what type of issues might occur when these core networking group firewall rules are disabled. Make sure that you perform thorough tests before you implement a policy that has this feature enabled in production environments. You might need to create or modify firewall rules to resolve any issues that occur.