Options page Enable and disable the Firewall module, set protection options, and define networks and trusted executables. See the settings in the Common module for logging configuration. Note: Host Intrusion Prevention 8.0 can be installed on the same system as Endpoint Security version 10.5. If McAfee Host IPS Firewall is installed and enabled, Endpoint Security Firewall is disabled even if enabled in the policy settings. Table 1: Option definitions Section Option Definition Firewall Enable Firewall Enables and disables the Firewall module. Protection Options (Windows only) Allow traffic for unsupported protocols Allows all traffic that uses unsupported protocols. When disabled, all traffic using unsupported protocols is blocked. Allow only outgoing traffic until firewall services have started Allows outgoing traffic but no incoming traffic until the Firewall service starts on the client. CAUTION: If this option is disabled, Firewall allows all traffic before services are started, potentially leaving the system vulnerable. Allow bridged traffic Allows: Incoming packets if the destination MAC address is in the supported VM MAC address range and is not a local MAC address on the system. Outgoing packets if the source MAC address is in the supported MAC address range and is not a local MAC address on the system. Enable firewall intrusion alerts Displays alerts automatically when Firewall detects a potential attack. DNS Blocking Domain name Defines domain names to block. When applied, this setting adds a rule near the top of the firewall rules that blocks connections to the IP addresses resolving to the domain names. Add — Adds a domain name to the blocked list. Separate multiple domains with a comma (,) or a carriage return. You can use the * and ? wildcards. For example, *domain.com. Duplicate entries are removed automatically. Edit — Changes the selected item. Delete — Removes the selected domain name from the blocked list. Clear All — Removes all domain names from the blocked list. Table 2: Advanced options Section Option Definition Tuning Options Enable Adaptive mode Creates rules automatically to allow traffic. Tip: Best practice: Enable Adaptive mode temporarily on a few systems only while tuning Firewall. Enabling this mode might generate many client rules, which the McAfee ePO server must process, negatively affecting performance. Disable McAfee core networking rules (Windows only) Disables the built-in McAfee networking rules (in the McAfee core networking rule group). (Disabled by default) CAUTION: Enabling this option might disrupt network communications on the client. Retain existing user-added and Adaptive mode rules when this policy is enforced Retains rules created on the client system: Automatically with Adaptive mode Manually on a client system Select this option to prevent client-added rules from being removed when the policy is enforced from McAfee ePO. Log all blocked traffic (Windows only) Logs all blocked traffic to the Firewall event log (FirewallEventMonitor.log) on the Endpoint Security Client. (Enabled by default) Log all allowed traffic (Windows only) Logs all allowed traffic to the Firewall event log (FirewallEventMonitor.log) on the Endpoint Security Client. (Disabled by default) CAUTION: Enabling this option might negatively affect performance. McAfee GTI Network Reputation (Windows only) Treat McAfee GTI match as intrusion Treats traffic that matches the McAfee GTI block threshold setting as an intrusion. Enabling this option displays an alert, sends an event to the management server, and adds it Endpoint Security Client log file. Any IP address for a trusted network is excluded from McAfee GTI lookup. (Enabled by default) Log matching traffic Treats traffic that matches the McAfee GTI block threshold setting as a detection. Enabling this option sends an event to the management server and adds it to the Endpoint Security Client log file. (Enabled by default) Any IP address for a trusted network is excluded from McAfee GTI lookup. Block all untrusted executables Blocks all executables that are not signed or have an unknown McAfee GTI reputation. Incoming network-reputation threshold Outgoing network-reputation threshold Specifies the McAfee GTI rating threshold for blocking incoming or outgoing traffic from a network connection. Do not block — This site is a legitimate source or destination of content/traffic. High Risk — This source/destination sends or hosts potentially malicious content/traffic that McAfee considers risky. Medium Risk — This source/destination shows behavior that McAfee considers suspicious. Any content/traffic from the site requires special scrutiny. Unverified — This site appears to be a legitimate source or destination of content/traffic, but also displays properties suggesting that further inspection is necessary. Stateful Firewall Use FTP protocol inspection Allows FTP connections to be tracked so that they require only one firewall rule for outgoing FTP client traffic and incoming FTP server traffic. If not selected, FTP connections require a separate rule for incoming FTP client traffic and outgoing FTP server traffic. Number of seconds (1-240) before TCP connections time out Specifies the time, in seconds, that an unestablished TCP connection remains active if no more packets matching the connection are sent or received. The default number is 30. The valid range is 1–240. Number of seconds (1-300) before UDP and ICMP echo virtual connections time out Specifies the time, in seconds, that a UDP or ICMP Echo virtual connection remains active if no more packets matching the connection are sent or received. This option resets to its configured value every time a packet that matches the virtual connection is sent or received. The default number is 30. The valid range is 1–300. Firewall Status Control (Windows only) Allow users to disable Firewall from the McAfee system tray icon Specifies that the user can disable and enable Firewall from the McAfee system tray icon instead of using the schedule. Select this option to display the Disable Endpoint Security Firewall menu option under Quick Settings in the McAfee system tray icon. When Firewall is disabled, the option is Enable Endpoint Security Firewall. Retain user-disabled Firewall status when this policy is enforced Retains the Firewall disabled status set on the client system. Select this option to prevent the Firewall enabled status in the policy from replacing the Firewall status set on the client when the policy is enforced from McAfee ePO. Require justification from users when managing Firewall from the McAfee system tray icon Requires that the user enter a reason when managing Firewall from the McAfee system tray icon. Select this option to prompt the user for a reason before allowing them to disable Firewall or enable timed groups. Defined Networks Defines network addresses, subnets, or ranges to use in rules and groups. Add Defined Network or + — Adds a network address, subnet, or range to the defined networks list. Click Add Defined Network, then complete the fields to define the network. Click + to define subsequent networks. - — Deletes the selected address from the defined networks list. Address type Specifies the address type of the network to define. Address Specifies the address of the network to define. Trusted — Allows all traffic from the network, regardless of rules. Not trusted — Adds the network to the list of defined networks for creating rules. Tip: Best practice: To control traffic to Defined Networks that aren't trusted, associate them with firewall rules. Trusted Executables (Windows only) Specifies executables that are safe in any environment and have no known vulnerabilities. These executables are allowed to perform all operations except operations that suggest that the executables have been compromised. Configuring a trusted executable creates a bi-directional Allow rule for that executable at the top of the Firewall rules list. Add — Adds a trusted executable. Actions — Edit — Changes the selected item. Delete — Removes the executable from the trusted list. Address type Specify the address type for a defined network.