EDR: How to Enable Firewalld Rejection Messages to Confirm Local Server Firewall is not Blocking Expected IP's
book
Article ID: 285721
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Show More
Show Less
Issue/Introduction
How to enable deny messages in firewalld to confirm expected IP's are not being blocked at the local firewall level
Environment
EDR: All Versions Linux: CentOS 7/8 Linux: RHEL 7/8
Resolution
Enable the capture of all denied messages
sudo firewall-cmd --set-log-denied=all
Confirm it's set
sudo firewall-cmd --get-log-denied
Attempt the connection to the server View the information to see if it is being rejected.
dmesg | egrep -i 'REJECT|DROP'
If the expected source ip is not seen in the rejections
Confirm the IP is not being blocked at Nginx level filtering: EDR: How to Manually Check or Edit the NGINX IP Filter List The issue is in between the source and the EDR server. Most likely a firewall in between. Please reach out to your network administrator for troubleshooting
Additional Information
Example message of a Denied packet from firewalld
[87192.075367] FINAL_REJECT: IN=ens33 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.222.1 DST=192.168.222.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=30066 PROTO=UDP SPT=137 DPT=137 LEN=58
This is used to confirm the ability to contact the server from sensor or webui. Often seen as rejects or timeouts by the source
To write these to a different log location for tracking
Create a new file called /etc/rsyslog.d/firewall-drop.conf Add the following into the file
:msg,contains,"_DROP" /var/log/firewalld-drop.log
:msg,contains,"_REJECT" /var/log/firewalld-drop.log
& stop
Restart the service to take affect
sudo systemctl restart rsyslog
Drops will be written to /var/log/firewalld-drop.log
Feedback
thumb_up
Yes
thumb_down
No