Trellix Endpoint Security (ENS) for Linux Firewall

10.7.13 CLI Guide

NAME

mfefwcli - Trellix Endpoint Security (ENS) for Linux - Firewall command line tool

SYNOPSIS

mfefwcli --version

mfefwcli --fw [ on | off | status ]

mfefwcli --fw-mode [ regular | adaptive ]

mfefwcli --fw-rules-list
mfefwcli --fw-rule-add

--index rule number

--name "rule name"

--action [ allow | deny ]

--log

--direction [ in | out | either ]

--state [ enable | disable ]

--notes "rule description"

[ --local-single | --local-range | --local-cidr | --local-fqdn | --local-

subnet | --local-local | --local-anyv4 | --local-trusted ] address-value

[ --remote-single | --remote-range | --remote-cidr | --remote-fqdn | --

remote-subnet | --remote-local | --remote-anyv4 | --remote-trusted ] address-
value

[ --proto protocol-name ]

--local-service [ port | port range ]

 --remote-service [ port | port range ]

--icmp-type [value]

[ --schedule-status [ on | off ]]

[ --schedule-weekdays [ sun | mon | tue | wed | thu | fri | sat ]]

[ --schedule-start-time timestamp --schedule-end-time timestamp]

[ --schedule-offhour-action ]

mfefwcli --fw-rule-delete --index [ rule number ] [ --adaptive ] [ --force ]

mfefwcli --fw-inspect-ftp-traffic [ on | off ]

mfefwcli --fw-log-level [ disabled | info | debug ]

mfefwcli --fw-trusted-list [ --xml ]

mfefwcli --fw-trusted-add [ --single | --range | --cidr ] [ value ]

mfefwcli --fw-trusted-delete --index [ value ] [ --force ]

mfefwcli --showlogsettings

mfefwcli --setmaxproductlogsize [n]

mfefwcli --productlog [enable | disable]

mfefwcli --debuglog [enable | disable

mfefwcli --usesyslog [enable | disable]

mfefwcli --log-allowed-traffic [enable | disable]

mfefwcli --log-blocked-traffic [enable | disable]

Description:

mfefwcli is the command-line tool to configure Trellix Firewall for Linux.

When operating in managed mode, firewall configuration performed using this tool
will be overwritten

by the Trellix ePO - On-prem policy enforcement. Firewall rules created with
mfefwcli will be retained when the retain client side rules option is configured in
Trellix ePO - On-prem policy.

Options:

--version
 Prints the following information:

Version of Trellix Firewall for Linux.

License information.

Copyright information

--fw [ on | off | status ]

Enables you to control the firewall

on Enables the firewall.

off Disables the firewall.

status This command shows these information:

Status Whether the Firewall is Enabled or Disabled.

Mode Whether the firewall is in regular or adaptive mode.

Retain Client Side Rules Whether client side rules are enabled or
disabled.

FTP Inspection Whether FTP inspection is enabled or disabled.

Log Level Shows the log level set for the product

--xml

Enables the CLI output in xml format.

--fw-mode [ regular | adaptive ]

Configure firewall to operate in adaptive or regular mode

regular use this option to configure the firewall in regular mode.

Regular mode allows/blocks traffic strictly as per the defined policy.

adaptive use this option to configure the firewall in adaptive mode.

Adaptive mode allows all traffic and makes sure that each new traffic is logged. This
mode is

used for fine tuning the firewall policy.

Working with Firewall Rules

 Option to list, create and edit firewall rules. Use the following option to
create a more specific rule. Options with a * are mandatory. Omitting an option in
the rule will

replace it with it's default values.

--fw-rules-list Lists the firewall rules including firewall rule groups.

--fw-rule-add Adds a rule to the client side group. By specifying the rule
number, it is possible to insert a rule at a particular index.

--name* Specify the name of the rule. This is a mandatory option.

--action* Specify the value either allow or deny. This is a mandatory

option.

--log Enables logging for the specified rule when a new packet
matches the rule. Subsequent packets within the same connection will not be
logged.

--direction Specify the direction (in, out or either) of traffic to match in

a rule. Only one can be specified.

--state Specify the value either enable or disable. The default value
is enable.

--notes Add a description for the rule.

Option to delete firewall rule. Use this option to delete a specific rule

--fw-rule-delete Deletes the rule as specified by the rule number. You

must specify a rule number while using this option. It deletes the rule only from the
Client side

group. In regular mode it is possible to delete a rule from the adaptive group,
by specifying the --adaptive parameter.

--index Specify the number that corresponds to the rule while running
the --fw-rules-list command.

--force Force-delete this rule by using this option. If this option is not
provided, the user will be prompted to confirm the delete action.

--adaptive Delete an adaptive rule by using this option. This option is

applicable only for the regular mode.

Local and Remote Address options

 The naming convention of this option has a local/remote followed by a hyphen
and the type of address being specified. For example, --local-single signifies that
this is a local

part of the address being specified and the type of address is a single IPv4
address. If no options are specified that signifies Local and/or Remote addresses,
the Default

value will be Any IPv4 address for that specific rule

--local-single Specify a single IPv4 address in address-value as the local

address of the rule. You can specify multiple values separated by comma.

--local-range Specify a contiguous IPv4 address range in address-value

as the local address of the rule. You can specify multiple values separated by
comma. For exam‐

ple: 10.1.10.0-10.1.10.20

--local-cidr Specify a subnet in address-value as the local address of the

rule. You can specify multiple values separated by comma. For example:
10.1.10.0/23

--local-subnet Specifies the local subnet of the machine as the local

address of the rule. For example, if the IP address of the machine is 10.1.10.5 with
a mask of 24

bit, then 10.1.10.0/24 is used by the rule. This will be determined while
loading the rules.

--local-local Specifies the local address of the machine as the local

address of the rule. For example, if the IP address of the machine is 10.1.10.5,
then it is

used by the rule.

--local-anyv4 Specifies the local address of the rule as any IPv4

address.

--local-trusted Specifies the list of trusted networks as the local

address of the rule.

--remote-single This option allows you to specify a single IPv4 address

in address-value as the remote address of the rule. You can specify multiple values
separated

by comma.

--remote-range This option allows you to specify a contiguous IPv4

address range [10.1.10.0-10.1.10.20] in address-value as the remote address of
the rule. You can
 specify multiple values separated by comma.

--remote-cidr This option allows you to specify a subnet

[10.1.10.0/23] in address-value as the remote address of the rule. You can specify
multiple values sepa‐

rated by comma.

--remote-subnet This option allows you to specify the local subnet

of the machine as the remote address of the rule. This can be specified only once.
If the IP

address of the machine is 10.1.10.5 with a mask of 24 bits, this will be

replaced by 10.1.10.0/24. This will be determined at runtime while loading the
rules.

--remote-local This option allows you to specify the local address of

the machine as the remote address of the rule. This can be specified only once.
The IP

addresses of the machine will be substituted at runtime.

--remote-anyv4 This option allows you to specify the remote

address of the rule as any IPv4 valid address.

--remote-trusted This option allows you to specify the list of trusted

networks as the remote address of the rule.
--proto [protocol name] Specify the protocol to match in a packet. If this
option is not specified, the rule will match Any protocol. The protocol name can
have a value

of tcp, udp or icmp or any other protocol name as specified in

/etc/protocols

--local-service [ port | port range ] Specify the local port or a port

range, when tcp or udp protocol is used. Multiple ports or port range can be
specified

using comma separated values.

--remote-service [ port | port range ] In case the protocol specified

is tcp or udp, you can specify the remote port or a port range. Multiple ports or port
range

can be specified using comma separated values.

--icmp-type value In case the protocol specified is icmp, you

can specify the icmp message type from the following values.
0 Echo Reply

3 Destination Unreachable

4 Source Quench

5 Redirect

6 Alternate Host Address

8 Echo Request

9 Router Advertisement

10 Router Selection

11 Time Exceeded

12 Parameter Problem

13 Timestamp

14 Timestamp reply

15 Information Request

16 Information Reply

17 Address Mask Request

18 Address Mask Reply

30 Traceroute

31 Datagram conversion error

32 Mobile Host redirect

33 IPv6 - Where are you

34 IPv6 - I am her

35 Mobile registration request

36 Mobile registration reply

37 Domain name request

38 Domain name reply

39 SKIP
40 Photuris
 --schedule-status This option allows you to enable scheduler in the rule.
Default value is off. To turn on the scheduler specify the value as on.

--schedule-weekdays This option allows you to specify the days in a

week that this rule should match. If not specified, all days will be matched. This
option requires
the schedule-status to be on. The values are sun, mon, tue, wed, thu, fri
and sat.

--schedule-start-time This option allows you to specify the time in a day,

when the rule becomes active. The timestamp needs to be specified as HH:MM in a
24 hour for‐

mat, where H stands for hour and M stands for Minutes.

--schedule-end-time This option allows you to specify the time in a day,

when the rule turns inactive. The timestamp needs to be specified as HH:MM in a
24 hour for‐

mat, where H stands for hour and M stands for Minutes.

--schedule-offhour-action This option allows you to specify the rule

action outside schedule-start-time and schedule-end-time. Default value is disable.
In this state,

the rule is not effective. To reverse the rule action, specify the value as
reverse.

Inspection of FTP Traffic

--fw-inspect-ftp-traffic [ on | off ]

This option is used to inspect FTP traffic and automatically allow FTP data
transfer.

on Inspects FTP traffic and automatically allows traffic related to FTP

data transfer.

off FTP traffic inspection is not done when this option is used. In such
a scenario, specific rules have to be added so that FTP data transfer can succeed.

Setting log level

 --fw-log-level [ disabled | info | debug ]

This option is used to set the log level of the firewall.

disabled Disables the firewall log.

info Sets the log level of firewall to information.

debug Sets the log level of firewall to debug.

Working with Trusted Networks

This option allows you to define the list of trusted networks in standalone
mode. If this option is used when running in managed mode, the list will be
replaced by the Trellix

ePO policy after policy enforcement. Trusted networks list allows you
create a list of hosts and networks that can be used in the local and/or remote part
of the network

options while defining a rule/group.

--fw-trusted-list Lists the entries that are currently configured as part of

trusted network list. It also lists the status of the trust local subnet option.

--fw-trusted-add Add an entry to the trusted network list by using this

option.

--single Specify an IP address, which gets added to the list.

--range Specify an IP address range, which gets added to the list. For
example: 10.1.0.10-10.1.0.20

--cidr Specify a network address, which gets added to the list. For
example: 10.1.0.0/24

--include-local [on | off ] This option adds the local subnet(s) of the
machine to the list. This option is enabled by default. Use no to disable this option.

--fw-trusted-delete Deletes an entry from the trusted network list.

--index Specify the number that corresponds to the trusted network

while running the --fw-trusted-list command.

--force Force-delete this trusted network by using this option. If this

option is not provided, the user will be prompted to confirm the delete action.

mfefwcli --showlogsettings

Show current log settings.

 mfefwcli --setmaxproductlogsize [n]

This option configures the maximum product log file size where n is an integer
in megabytes. 'n' is a number between 1 and 999 and default value is 10.

mfefwcli --productlog [enable | disable]

This enables or disables product logging. Allowed values are enable or disable.

mfefwcli --debuglog [enable | disable]

This enables or disables debug logging. Allowed values are enable or disable

mfefwcli --usesyslog [enable | disable]

This enables or disables logging using syslog on the system. Allowed values
are enable or disable
mfefwcli --log-allowed-traffic [enable | disable]

This enables or disables logging of all allowed traffic using syslog on the
system. Allowed values are enable or disable

mfefwcli --log-blocked-traffic [enable | disable]

This enables or disables logging of all blocked traffic using syslog on the
system. Allowed values are enable or disable

EXAMPLES

mfefwcli --fw status

This command will show these information:

Status: Enabled

Mode: Regular

Retain Client Side Rules: Enabled

FTP inspection: Enabled

Log Level: Info

mfefwcli --showlogsettings

This command will show the current log settings:

Debug Log : Disabled

Product Log : Enabled

Limit Log Size (MB) : 10

 Use Syslog : Enabled

Log all Allowed traffic : Disabled

Log all Blocked traffic : Enabled

mfefwcli --fw on

Use this command to turn on the firewall.

mfefwcli --fw-rules-list

Use this command to list the firewall rules.

mfefwcli --fw-mode adaptive

Use this command to configure the firewall to run in adaptive mode.

mfefwcli --fw-rule-add --index 3 --name http_in --action allow --log --direction

in --notes "allow inbound http" --remote-cidr 10.22.13.0/24 --proto tcp --local-
service 80,443,8443-8445 --schedule-status on --schedule-weekdays sun,mon

This command is customized to create a rule at position 3 in the Client side

group with this configuration.

- The rule name is http_in

- The action is allow

- Logging is enabled

- Description is "allow inbound http"

- Media type is all

- Direction is inbound

- Remote address is anything from the subnet 10.22.13.0/24

- Local Address is any address

- Protocol is TCP

- local service is 80,443 and a port range of 8443-8445

- Remote service is any

- Schedule for this rule is enabled for Sunday and Monday of the week from
00:00 hours to 23:59 hours.

- The rule will be disabled in off hours.

 mfefwcli --fw-trusted-add --single 10.10.10.10

Use this command to add 10.10.10.10 to the trusted network list.

mfefwcli --setmaxproductlogsize 10

This option configures the maximum product log file size to 10 MB.

mfefwcli --productlog enable

This enables product logging.

mfefwcli --debuglog disable

This disables debug logging.

mfefwcli --usesyslog enable

This enables logging using syslog on the system.

EXIT CODES

The command exits with the following values

0 The command is successfully executed.

99 Help is not found for the specified option.

100 Error while parsing the command-line options.

101 Failed to execute the command as the option specified, or one of the
values provided is invalid.

103 Failed to execute the command. This can be due to a communication error
in ESP, if the options provided are invalid or Trellix Firewall for Linux service is not
running.

104 Failed to register with ESP. This can be due to ESP service not running.

105 Failed to execute the command due to the user not having sudo or root
privileges.

112 Failed to execute the command as no option was specified.

113 No change was made as the specified preference is already set.

COPYRIGHT

Copyright (C) 2016-2022 Musarubra US LLC. All Rights Reserved. May 2020.