EDR: How to Enable Firewalld Rejection Messages to Confirm Local Server Firewall is not Blocking Expected IP's
Article ID: 285721
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to enable deny messages in firewalld to confirm expected IP's are not being blocked at the local firewall level
Environment
- EDR: All Versions
- Linux: CentOS 7/8
- Linux: RHEL 7/8
Resolution
- Enable the capture of all denied messages
sudo firewall-cmd --set-log-denied=all
- Confirm it's set
sudo firewall-cmd --get-log-denied
- Attempt the connection to the server
- View the information to see if it is being rejected.
dmesg | egrep -i 'REJECT|DROP'
- If the expected source ip is not seen in the rejections
- Confirm the IP is not being blocked at Nginx level filtering: EDR: How to Manually Check or Edit the NGINX IP Filter List
- The issue is in between the source and the EDR server. Most likely a firewall in between. Please reach out to your network administrator for troubleshooting
Additional Information
- Example message of a Denied packet from firewalld
[87192.075367] FINAL_REJECT: IN=ens33 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.222.1 DST=192.168.222.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=30066 PROTO=UDP SPT=137 DPT=137 LEN=58
- This is used to confirm the ability to contact the server from sensor or webui. Often seen as rejects or timeouts by the source
To write these to a different log location for tracking
- Create a new file called /etc/rsyslog.d/firewall-drop.conf
- Add the following into the file
:msg,contains,"_DROP" /var/log/firewalld-drop.log :msg,contains,"_REJECT" /var/log/firewalld-drop.log & stop
- Restart the service to take affect
sudo systemctl restart rsyslog
- Drops will be written to /var/log/firewalld-drop.log
Feedback
Yes
No
Powered by
