Firewall — Options

Enable and disable the Firewall module, set protection options, and define networks and trusted executables.

To reset the settings to the McAfee default settings and cancel your changes, click Reset to Default.

Note: Host Intrusion Prevention 8.0 can be installed on the same system as Endpoint Security version 10.6. If McAfee Host IPS Firewall is installed and enabled, Endpoint Security Firewall is disabled even if enabled in the settings.
Options
Section Option Definition
Enable Firewall Enables and disables the Firewall module.

(Enabled by default)

Protection Options Allow traffic for unsupported protocols Allows all traffic that uses unsupported protocols. When disabled, all traffic using unsupported protocols is blocked.

(Disabled by default)

Allow only outgoing traffic until firewall services have started Allows outgoing traffic but no incoming traffic until the Firewall service starts.
Caution: If this option is disabled, Firewall allows all traffic before services are started, potentially leaving the system vulnerable.
Allow bridged traffic Allows:
  • Incoming packets if the destination MAC address is in the supported VM MAC address range and is not a local MAC address on the system.
  • Outgoing packets if the source MAC address is in the supported MAC address range and is not a local MAC address on the system.

(Disabled by default)

Enable firewall intrusion alerts Displays alerts automatically when Firewall detects a potential attack.

(Enabled by default)

DNS Blocking Domain name Defines domain names to block.

When applied, this setting adds a rule near the top of the firewall rules that blocks connections to the IP addresses resolving to the domain names.

  • Add — Adds a domain name to the blocked list. Separate multiple domains with a comma (,) or a carriage return.

    You can use the * and ? wildcards. For example, *domain.com.

    Duplicate entries are removed automatically.

  • Double-click an itemChanges the selected item.
  • Delete — Removes the selected domain name from the blocked list.
Advanced options
Section Option Definition
Tuning Options Enable Adaptive mode Creates rules automatically to allow traffic.

(Disabled by default)

Tip: Best practice: Enable Adaptive mode temporarily on a few systems only while tuning Firewall.
Disable McAfee core networking rules Disables the built-in McAfee networking rules (in the McAfee core networking rule group).

(Disabled by default)

Caution: Enabling this option might disrupt network communications on the client system.
Log all blocked traffic Logs all blocked traffic to the Firewall event log (FirewallEventMonitor.log) on the client system.

(Enabled by default)

Log all allowed traffic Logs all allowed traffic to the Firewall event log (FirewallEventMonitor.log) on the client system.

(Disabled by default)

Caution: Enabling this option might negatively affect performance.
McAfee GTI Network Reputation Treat McAfee GTI match as intrusion Treats traffic that matches the McAfee GTI block threshold setting as an intrusion and displays an alert.

Any IP address for a trusted network is excluded from McAfee GTI lookup.

(Enabled by default)

Log matching traffic Treats traffic that matches the McAfee GTI block threshold setting as a detection and displays an event in the Event Log on the Endpoint Security Client.

(Enabled by default)

Any IP address for a trusted network is excluded from McAfee GTI lookup.

Block all untrusted executables Blocks network activity from all executables that are not signed or have a malicious reputation.

(Disabled by default)

Note: Best practice: To allow a trusted unsigned executable, add it to Trusted Executables list.
Incoming network-reputation threshold

Outgoing network-reputation threshold

Specifies the McAfee GTI rating threshold for blocking incoming or outgoing traffic from a network connection.
  • Do not block (Default) — This site is a legitimate source or destination of content/traffic.
  • High Risk — This source/destination sends or hosts potentially malicious content/traffic that McAfee considers risky.
  • Medium Risk — This source/destination shows behavior that McAfee considers suspicious. Any content/traffic from the site requires special scrutiny.
  • Unverified — This site appears to be a legitimate source or destination of content/traffic, but also displays properties suggesting that further inspection is necessary.
If McAfee GTI ratings server is not reachable Specifies whether to block or allow traffic by default if McAfee GTI is not available:
  • Block traffic (Default) — Blocks all traffic if Firewall can't reach the McAfee GTI server.
  • Allow traffic unless specifically blocked by rules — Allows all traffic unless specifically blocked by a firewall rule.
Stateful Firewall Use FTP protocol inspection Allows FTP connections to be tracked so that they require only one firewall rule for outgoing FTP client traffic and incoming FTP server traffic.

If not selected, FTP connections require a separate rule for incoming FTP client traffic and outgoing FTP server traffic.

(Enabled by default)

Number of seconds (1-240) before TCP connections time out Specifies the time, in seconds, that an unestablished TCP connection remains active if no more packets matching the connection are sent or received. The valid range is 1–240.
Number of seconds (1-300) before UDP and ICMP echo virtual connections time out Specifies the time, in seconds, that a UDP or ICMP Echo virtual connection remains active if no more packets matching the connection are sent or received. This option resets to its configured value every time a packet that matches the virtual connection is sent or received. The valid range is 1–300.
Defined Networks Defines network addresses, subnets, or ranges to use in rules and groups or defines networks as trusted.
  • Add — Adds a network address, subnet, or range to the defined networks list.

    Click Add, then complete fields in the row define the network.

  • Double-click an itemChanges the selected item.
  • Delete — Deletes the selected address from the defined networks list.
Address type Specifies the address type of the network to define.
Trusted
  • Yes — Allows all traffic from the network.

    Firewall allows all traffic to and from trusted networks.

  • No — Defines the network for use in rules and groups. You can use networks defined as not trusted for the local or remote network criteria in a rule or group.

    Defining a network as not trusted adds those networks as exceptions to McAfee GTI rules in Firewall.

    Tip: Best practice: To control traffic to Defined Networks that aren't trusted, associate them with firewall rules or groups.
Owner
Trusted Executables Specifies executables that are safe in any environment and have no known vulnerabilities. These executables are allowed to perform all operations except operations that suggest that the executables have been compromised.

Configuring a trusted executable creates a bi-directional Allow rule for that executable at the top of the Firewall rules list.

  • Add — Adds a trusted executable.
  • Double-click an itemChanges the selected item.
  • Delete — Removes the executable from the trusted list.