How do I track the log files?
You can separately track the log files for command line interface (CLI)-based activities and firewall-based activities at the following locations:

• CLI: /opt/McAfee/ens/fw/var/mfw.log (10.6.6 and later) or /opt/McAfee/mfw/var/mfw.log (10.6.5 and earlier)
• Stateful firewall: /opt/McAfee/ens/fw/var/mfefirewall.log (10.6.6 and later) or /opt/McAfee/mfw/var/mfefirewall.log (10.6.5 and earlier)

How do I enable debug logging?
Use this command to enable debug logging:

 # /opt/McAfee/ens/fw/bin/mfefwcli --fw-log-level debug (10.6.6 and later) or # /opt/McAfee/mfw/bin/mfw --fw-log-level debug (10.6.5 and earlier)

Here’s an example debug log entry from mfefirewall.log:

Aug 23 11:58:40 ENSL-HOSTNAME DEBUG SFIptables [31933] Rule Name - , Rule Action - 1, Transport Protocol - 1024, Network Protocol - 1, Msg Type - 7, Rule Enable - 1, Log Enable - 1, matchCount - 2


How do I read firewall rule logs?
Here’s the log entry syntax: MFE_I/O_A/B_firewall_rule_name. The I/O indicates inbound or outbound. The A/B indicates allow or block. The firewall_rule_name provides the firewall rule name.


Where do I find logs relating to firewall rules?
Logs for firewall rules are accessible from three locations:

• /var/log/messages
• /var/log/firewall (for SUSE)
• /var/log/syslog (for Ubuntu)

How do I list the local firewall rules on the ENSLFW Linux client?
Use this command and view the rule log prefix in the Rule Log Prefix column:

# /opt/McAfee/ens/fw/bin/mfw --fw-rules-list (10.6.6 and later) or # /opt/McAfee/mfw/bin/mfw --fw-rules-list (10.6.5 and earlier)


How do I list the firewall rules?
Use this command to view the firewall rules:

# /opt/McAfee/ens/fw/bin/mfw --fw-rules-list --xml (10.6.6 and later) or # /opt/McAfee/mfw/bin/mfw --fw-rules-list --xml (10.6.5 and earlier)


How do I log firewall activity (for allowed or blocked network traffic) to the local log files?
In the firewall rule configuration settings, enable the Log matching traffic option.

NOTE: With ENSLFW 10.7, a new feature was added to enable logging for all allowed and blocked network traffic via the Firewall Options policy. See the Endpoint Security for Linux Firewall 10.7.0 Release Notes for details.


How do I log all blocked traffic?
By default, ENSLFW doesn't log all blocked traffic. If none of the ENSLFW rules match, all packets are dropped. By default, no log is created for this dropped traffic. To log the default dropped traffic, you must create a default drop rule in the Firewall policy as follows:

1. Select the Add rule option in the Firewall rules Policy Catalog to add a rule at the end of the policy.
2. Use the following settings for the rule:
   • Name: Default_Drop_Rule
   • Status: Enable
   • Action: Block
   • Enable "Log matching traffic"
   • Direction: In
   • Protocol: Any
   • Transport protocol: All protocols
   • Disable Scheduling
3. Click Save.
4. Move this rule to the end of the policy.
5. Enforce the rule on the Linux system by performing an agent wakeup.
6. Check the log settings with the following CLI command. Make sure Log all Blocked traffic is enabled. (This setting is enabled by default.)
   
   /opt/McAfee/ens/fw/bin/mfefwcli –showlogsettings
   
   If the setting is not enabled, execute the following command:
   
   /opt/McAfee/ens/fw/bin/mfefwcli --log-blocked-traffic enable

Can I trigger ePolicy Orchestrator (ePO) events for ENSFWL firewall rules?
Yes. For the firewall rule for which you want to trigger ePO events, enable the Treat match as Intrusion option.