Add Rule or Edit Rule, Add Group or Edit Group

Add or edit firewall rules and groups.

Options
Section Option Definition Rule Group
Description Name Specifies the descriptive name of the item (required).
Status Enables or disables the item.
Specify actions Allow — Allows traffic through the firewall if the item is matched.
Block — Stops traffic from passing through the firewall if the item is matched.
Treat match as intrusion — Treats traffic that matches the rule as an intrusion and displays an alert.
Tip: Best practice: Don't enable this option for an Allow rule because it generates many alerts.
Log matching traffic — Treats traffic that matches the rule as a detection and displays an event in the Event Log on the Endpoint Security Client.
Direction Specifies the direction:
  • Either — Monitors both incoming and outgoing traffic.
  • In — Monitors incoming traffic.
  • Out — Monitors outgoing traffic.
Notes Provides more information about the item.
Location Enable location awareness Enables or disables location information for the group.
Name Specifies the name of the location (required).
Enable connection isolation Blocks traffic on network adapters that don't match the group when an adapter is present that does match the group.
Note: Settings for Transport and Executables aren't available for connection isolation groups.

One use of this option is to block traffic generated by potentially undesirable sources outside the corporate network from entering the corporate network. Blocking traffic in this way is possible only if a rule preceding the group in the firewall hasn't already allowed it.

When connection isolation is enabled, and a NIC matches the group, traffic is allowed only when one of the following applies:

  • Traffic matches an Allow Rule before the group.
  • Traffic traversing a NIC matches the group and there is a rule in or below the group that allows the traffic.

If no NIC matches the group, the group is ignored and rule matching continues.

Location criteria
Note: If you specify more than one location-criteria parameter, all are applied to the location-aware group.
  • Connection-specific DNS suffix — Specifies a connection-specific DNS suffix in the format: example.com.
  • Default gateway — Specifies a single IP address for a default gateway in IPv4 or IPv6 format.
  • DHCP server — Specifies a single IP address for a DHCP server in IPv4 or IPv6 format.
  • DNS server — Specifies a single IP address for a domain name server in IPv4 or IPv6 format.
  • Primary WINS server — Specifies a single IP address for a primary WINS server in IPv4 or IPv6 format.
  • Secondary WINS server — Specifies a single IP address for a secondary WINS server in IPv4 or IPv6 format.
  • Domain reachability (HTTPS) — Requires that the specified domain is reachable using HTTPS.

    To determine whether the domain is reachable, Firewall checks for the valid SSL certificate of the domain. The location-aware group criteria matches and the rules are applied only if the domain has a valid certificate.

  • Registry key — Specifies the registry key and key value.
    1. Click Add.
    2. In the Value column, specify the registry key in the format:

      <ROOT>\<KEY>\[VALUE_NAME]

      • <ROOT> — Must use the full root name, such as HKEY_LOCAL_MACHINE, and not the shortened HKLM.
      • <KEY> — Is the key name under the root.
      • [VALUE_NAME] — is the name of the key value. If no value name is included, it is assumed to be the default value.

Example formats:

  • IPv4192.168.254.200
  • IPv6FD4A:A1B2:C3D4::E5F6
Networks Specifies the network host options that apply to the item.
Network protocol Specifies the network protocol that applies to the item.
Any protocol Allows both IP and non-IP protocols.

If a transport protocol or an application is specified, only IP protocols are allowed.

IP protocol Excludes non-IP protocols.
  • IPv4 protocol
  • IPv6 protocol

If neither checkbox is selected, any IP protocol applies. Both IPv4 and IPv6 can be selected.

Non-IP protocol Includes non-IP protocols only.
  • Select EtherType from list — Specifies an EtherType.
  • Specify custom EtherType — Specifies the four-characters of the hexadecimal EtherType value of the non-IP protocol. See Ethernet Numbers for EtherType values. For example, enter 809B for AppleTalk, 8191 for NetBEUI, or 8037 for IPX.
Connection types Indicates if one or all connection types apply:
  • Wired
  • Wireless
  • Virtual

    A Virtual connection type is an adapter presented by a VPN or a virtual machine application, such as VMware, rather than a physical adapter.

Specify networks Specifies the networks that apply to the item.
  • Add — Creates and adds a network.
  • Double-click an itemChanges the selected item.
  • Delete — Removes the network from the list.
Transport Specifies transport options that apply to the item.
Transport protocol Specifies the transport protocol associated with the item.

Select the protocol, then click Add to add ports.

  • All protocols — Allows IP, non-IP, and unsupported protocols.
  • TCP and UDP — Select from the drop-down:
    • Local port — Specifies the local traffic service or port to which the item applies.
    • Remote port — Specifies the traffic service or port on another computer to which the item applies.

    Local port and Remote port can be:

    • A single service. For example, 23.
    • A range. For example, 1–1024.
    • A comma-separated list of single ports and ranges. For example, 80, 8080, 1–10, 8443 (up to 4 items).

    By default, rules apply to all services and ports.

  • ICMP — In the Message type drop-down, specify an ICMP message type. See ICMP.
  • ICMPv6 — In the Message type drop-down, specify an ICMP message type. See ICMPv6.
  • Other — Selects from a list of less common protocols.
Executables Specifies the executables that apply to the rule.
  • Add — Creates and adds an executable.
  • Double-click an itemChanges the selected item.
  • Delete — Removes an executable from the list.
Schedule Specifies schedule settings for the rule or group.
Enable schedule Enables the schedule for the timed rule or group.

When the schedule is disabled, the rule or rules in the group, don't apply.

  • Start time — Specifies the start time to enable the schedule.
  • End time — Specifies the time to disable the schedule.
  • Days of the week — Specifies the days of the week to enable the schedule.

For start and end times, use a 24-hour clock style. For example, 13:00 = 1:00 p.m.

You can either schedule Firewall timed groups or allow the user to enable them from the McAfee system tray icon.

Disable schedule and enable the group from the McAfee system tray icon Specifies that the user can enable the timed group for a set number of minutes from the McAfee system tray icon instead of using the schedule.
Tip: Best practice: Use this option to allow broad network access, for example at a hotel, before a VPN connection can be established.

Selecting this option displays more menu options under Quick Settings in the McAfee system tray icon:

  • Enable Firewall Timed Groups — Enables timed groups for a set amount of time to allow access to the Internet before rules restricting access are applied. When timed groups are enabled, the option is Disable Firewall Timed Groups.

    Each time you select this option, you reset the time for the groups.

    Depending on settings, you might be prompted to provide the administrator with a reason for enabling timed groups.

  • View Firewall Timed Groups — Displays the names of the timed groups and the amount of time remaining for each group to be active.
Number of minutes (1-60) to enable the group Specifies the number of minutes (1–60) that the timed group is enabled after selecting Enable Firewall Timed Groups from the McAfee system tray icon.