Firewall — Options Enable and disable the Firewall module, set protection options, and define networks and trusted executables. To reset the settings to the McAfee default settings and cancel your changes, click Reset to Default. See the settings in the Common module for logging configuration. Note: Host Intrusion Prevention 8.0 can be installed on the same system as Endpoint Security version 10.5. If McAfee Host IPS Firewall is installed and enabled, Endpoint Security Firewall is disabled even if enabled in the policy settings. Table 1: Options Section Option Definition Enable Firewall Enables and disables the Firewall module. Protection Options Allow traffic for unsupported protocols Allows all traffic that uses unsupported protocols. When disabled, all traffic using unsupported protocols is blocked. Allow only outgoing traffic until firewall services have started Allows outgoing traffic but no incoming traffic until the Firewall service starts. CAUTION: If this option is disabled, Firewall allows all traffic before services are started, potentially leaving the system vulnerable. Allow bridged traffic Allows: Incoming packets if the destination MAC address is in the supported VM MAC address range and is not a local MAC address on the system. Outgoing packets if the source MAC address is in the supported MAC address range and is not a local MAC address on the system. Enable firewall intrusion alerts Displays alerts automatically when Firewall detects a potential attack. DNS Blocking Domain name Defines domain names to block. When applied, this setting adds a rule near the top of the firewall rules that blocks connections to the IP addresses resolving to the domain names. Add — Adds a domain name to the blocked list. Separate multiple domains with a comma (,) or a carriage return. You can use the * and ? wildcards. For example, *domain.com. Duplicate entries are removed automatically. Double-click an item — Changes the selected item. Delete — Removes the selected domain name from the blocked list. Table 2: Advanced options Show Advanced Hide Advanced Section Option Definition Tuning Options Enable Adaptive mode Creates rules automatically to allow traffic. Tip: Best practice: Enable Adaptive mode temporarily on a few systems only while tuning Firewall. Enabling this mode might generate many client rules, which the McAfee ePO server must process, negatively affecting performance. Disable McAfee core networking rules Disables the built-in McAfee networking rules (in the McAfee core networking rule group). (Disabled by default) CAUTION: Enabling this option might disrupt network communications on the client. Log all blocked traffic Logs all blocked traffic to the Firewall event log (FirewallEventMonitor.log) on the Endpoint Security Client. (Enabled by default) Log all allowed traffic Logs all allowed traffic to the Firewall event log (FirewallEventMonitor.log) on the Endpoint Security Client. (Disabled by default) CAUTION: Enabling this option might negatively affect performance. McAfee GTI Network Reputation Treat McAfee GTI match as intrusion Treats traffic that matches the McAfee GTI block threshold setting as an intrusion. Enabling this option displays an alert, sends an event to the management server, and adds it Endpoint Security Client log file. Any IP address for a trusted network is excluded from McAfee GTI lookup. (Enabled by default) Log matching traffic Treats traffic that matches the McAfee GTI block threshold setting as a detection. Enabling this option sends an event to the management server and adds it to the Endpoint Security Client log file. (Enabled by default) Any IP address for a trusted network is excluded from McAfee GTI lookup. Block all untrusted executables Blocks all executables that are not signed or have an unknown McAfee GTI reputation. Incoming network-reputation threshold Outgoing network-reputation threshold Specifies the McAfee GTI rating threshold for blocking incoming or outgoing traffic from a network connection. Do not block — This site is a legitimate source or destination of content/traffic. High Risk — This source/destination sends or hosts potentially malicious content/traffic that McAfee considers risky. Medium Risk — This source/destination shows behavior that McAfee considers suspicious. Any content/traffic from the site requires special scrutiny. Unverified — This site appears to be a legitimate source or destination of content/traffic, but also displays properties suggesting that further inspection is necessary. Stateful Firewall Use FTP protocol inspection Allows FTP connections to be tracked so that they require only one firewall rule for outgoing FTP client traffic and incoming FTP server traffic. If not selected, FTP connections require a separate rule for incoming FTP client traffic and outgoing FTP server traffic. Number of seconds (1-240) before TCP connections time out Specifies the time, in seconds, that an unestablished TCP connection remains active if no more packets matching the connection are sent or received. The valid range is 1–240. Number of seconds (1-300) before UDP and ICMP echo virtual connections time out Specifies the time, in seconds, that a UDP or ICMP Echo virtual connection remains active if no more packets matching the connection are sent or received. This option resets to its configured value every time a packet that matches the virtual connection is sent or received. The valid range is 1–300. Defined Networks Defines network addresses, subnets, or ranges to use in rules and groups. Add — Adds a network address, subnet, or range to the defined networks list. Click Add, then complete fields in the row define the network. Double-click an item — Changes the selected item. Delete — Deletes the selected address from the defined networks list. Address type Specifies the address type of the network to define. Trusted Yes — Allows all traffic from the network. Defining a network as trusted creates a bi-directional Allow rule for that remote network at the top of the Firewall rules list. No — Adds the network to the list of defined networks for creating rules. Owner Trusted Executables Specifies executables that are safe in any environment and have no known vulnerabilities. These executables are allowed to perform all operations except operations that suggest that the executables have been compromised. Configuring a trusted executable creates a bi-directional Allow rule for that executable at the top of the Firewall rules list. Add — Adds a trusted executable. Double-click an item — Changes the selected item. Delete — Removes the executable from the trusted list.