FAQs for Endpoint Security Firewall "Disable McAfee core networking rules" feature

This article provides detailed information about the ENS Firewall feature "Disable McAfee core networking rules".

Recent updates to this article

Date	Update
February 13, 2020	Added a note that ENS Firewall 10.7.0 and later merges the multiple "Allow McAfee signed applications" firewall rules into a single firewall rule.

What is the ENS Firewall "Disable McAfee core networking rules" feature and its purpose?
This feature contains the core networking rules provided by McAfee. It includes firewall rules to allow several types of network traffic related to critical system processes, other McAfee applications, DHCP, Domain Name System (DNS), loopback, and broadcast.

 
What firewall rules are included in the "McAfee core networking" group?
The following firewall rules are included the "McAfee core networking" group:

NOTE: With ENS Firewall 10.7.0 and later, the multiple "Allow McAfee signed applications" firewall rules listed below have been merged into a single firewall rule.

• Allow outbound system applications - Allows outbound network traffic for the Windows SYSTEM executable process.
• Allow ARP traffic - Allows inbound and outbound network traffic for ARP (Address Resolution Protocol) packets (Ethernet Protocol 0x806).
• Allow EAPOL traffic - Allows inbound and outbound network traffic for EAPOL (Extensible Authentication Protocol over LAN) packets (Ethernet Protocol 0x888E).
• Allow outbound stock applications - Allows outbound network traffic for Windows critical processes (for example, services.exe, svchost.exe, lsass.exe, userinit.exe, winlogon.exe, alg.exe, spoolsv.exe, and dns.exe).
• Allow McAfee signed applications - Allows inbound and outbound network traffic related to McAfee products based on signer certificate value.
• Allow McAfee signed applications 2 - Allows inbound and outbound network traffic related to McAfee products based on signer certificate value.
• Allow McAfee signed applications 3 - Allows inbound and outbound network traffic related to McAfee products based on signer certificate value.
• Allow McAfee signed applications 4 - Allows inbound and outbound network traffic related to McAfee products based on signer certificate value.
• Allow outbound ICMPv4 traffic - Allows outbound network traffic related to the ICMPv4 transport protocol.
• Allow outbound ICMPv6 traffic - Allows outbound network traffic related to the ICMPv6 transport protocol.
• Allow outbound DNS traffic - Allows outbound network traffic related to remote host UDP Port 53 (default port for DNS resolution).
• Allow inbound traffic from special IP addresses - Allows inbound network traffic for the special IP address 0.0.0.0 (IPv4 and IPv6); see https://en.wikipedia.org/wiki/0.0.0.0 for more details about this special IP address.
• Allow outbound loopback and broadcast traffic - Allows outbound network traffic related to IPv4/IPv6 loopback and broadcast traffic.
• Allow reserved IP traffic - Allows inbound and outbound network traffic for the RESERVED Transport Protocol 255 (0xFF); see https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers for more details.
• Allow outbound BOOTP traffic - Allows outbound network traffic for BOOTP and DHCP traffic (UDP port 67 and 68).
• Allow outbound DHCPv6 traffic - Allows outbound network traffic for DHCPv6 traffic (UDP port 546 and 547).

 
Why is "Disable McAfee core networking rules" available as a selectable feature in the ENS Firewall Options policy?
For customers that do not want to use this group of firewall rules, ENS allows the ability to disable them through ePolicy Orchestrator (ePO) policy or local configuration. When you enable the "Disable McAfee core networking rules" feature, the pop-up message Disabling McAfee core networking rules could disrupt network communications on the client displays in the ePO server and the local ENS client console. This message is a warning about potential network disruption issues. By disabling this group of firewall rules, you might (although not guaranteed) experience network communication issues. These firewall rules allow critical Windows processes and their related network traffic. If they are disabled, it might affect features or functionality related to these processes, for example, printer jobs, interaction with DNS servers, and user logons. Perform thorough tests if this feature is enabled to make sure that no issues are discovered. 

Another important reason is to prevent the ENS Firewall from blocking McAfee Agent and other McAfee product network traffic. If a firewall policy issue occurs, for example, a poorly implemented or corrupt policy, the ENS Firewall must always allow McAfee Agent communications to the ePO server to obtain new policy updates and resolve policy-related issues. If the firewall did not have this feature, the potential alternatives would be twofold. The firewall could permanently block ePO server and McAfee Agent communications and policy updates, or not allow the system to connect to any networks. Either alternative might require manual intervention to the local system to remedy the issue.
 

After I enable the "Disable McAfee core networking rules" feature, why are all firewall rules inside the McAfee core networking group not disabled?
This fact is by design. The main McAfee core networking group itself remains enabled, while some of the firewall rules are disabled; other critical firewall rules are not disabled though. This design is to prevent the ENS Firewall from blocking the following specific types of critical application and non-application network traffic that could potentially cause major outages. Examples are a system that is unable to connect or obtain an IP address from the local network.

• Always allow network communications for McAfee Agent and other McAfee-signed applications.
• Always allow ARP network traffic.
• Always allow BOOTP and DHCP (UDP port 67 and 68) traffic for systems to obtain an IP address dynamically (if not using static IP address assignments).

 
Which McAfee core networking firewall rules are not disabled when I enable the "Disable McAfee core networking rules" feature?
The following rules are not disabled:

• Allow ARP traffic
• Allow McAfee signed applications
• Allow McAfee signed applications 2
• Allow McAfee signed applications 3
• Allow McAfee signed applications 4
• Allow outbound BOOTP traffic

Can I modify or delete the McAfee core networking group or any of the firewall rules within the group?
Currently, modification of these rules is not an available feature. You can only enable or disable the group of firewall rules (with the above stated limitations).


If I enable the "Disable McAfee core networking rules" feature, what issues might arise?
Disabling this group of firewall rules might cause certain network traffic for critical processes to be blocked. Firewall configuration changes might be needed within the Firewall Options or Firewall Rules policy. The changes depend on what type of network traffic is blocked and how you want to allow the network traffic. For example, do you want to create specific firewall rules to allow the traffic, or allow it by generic Trusted Executable or Defined Networks (Trusted) rules.


Should I disable the McAfee core networking group for testing or production use?
Some customers might want to more tightly control network traffic via firewall rules (for example, allow DNS-related traffic to only specific DNS server IP addresses), so disabling the McAfee core networking group is an option. But, be aware of what type of issues might occur when these McAfee core networking group firewall rules are disabled. Make sure that you perform thorough tests before you implement a policy that has this feature enabled in production environments. You might need to create new or modify existing firewall rules in the policy to resolve any issues that occur.