Mcafee firewall blocking spiceworks

hermannrowinski8023 · 2015-09-18T07:14:50.000Z

Hi,

I’ve noticed that Mcafee firewall is blocking spiceworks, what ports do i need to put in for the policy

Currently the connection type is set to trusted network and I’m guessing I’ll need to change it to Custom

Many Thanks

antonyrowell · 2015-09-18T07:41:10.000Z

Do you mean it is blocking spiceworks from scanning your inventory or blocking access to it from another computer ? If it’s a scanning issue, have a look here for the ports used http://community.spiceworks.com/help/How_Does_The_Scan_Work

If its accessing it from another computer, make sure spiceworks is running as a service and then you should be golden

hermannrowinski8023 · 2015-09-18T08:35:23.000Z

Hi Edward,

Its the scanning that is blocked. I’ve added port 135 to the firewall, I will test this to see if it works.

v-s · 2015-09-18T08:44:49.000Z

In addition to the ports in the link above, this may also help some as well:

http://community.spiceworks.com/help/Configuring_AV_Firewall_Domain

hermannrowinski8023 · 2015-09-18T08:49:50.000Z

Adding 135 does not seem to have solved the problem. Anything else I need to do?

antonyrowell · 2015-09-18T08:51:06.000Z

Have you checked out V_S’s reply ?

hermannrowinski8023 · 2015-09-18T09:27:11.000Z

Hi V_S

I’ve now added port 135, 137 & 445 to the inbound connections, remote desktop & assistance are also allowed.

& it’s still not allowing Spiceworks to scan.

hermannrowinski8023 · 2015-09-18T09:41:03.000Z

I’ll continue to test, I dont think the computer I’m testing has updated the firewall policy yet.

antonyrowell · 2015-09-18T09:51:15.000Z

Are you getting any specific error messages ?

hermannrowinski8023 · 2015-09-18T09:56:56.000Z

No, I just get the image below

port.JPG800×62 27.1 KB

then if i disable the firewall on the machine & rescan it using spiceworks the above no longer appears.

Turn the firewall back on and it re-appears

v-s · 2015-09-18T12:05:45.000Z

How long does the firewall policy take to update, or can you force the update?

ICMPv4 Inbound and Outbound - This is needed so that Spiceworks can discover the devices on your network; it is more commonly known as the PING command. There are a number of types of ping commands that can be permitted or blocked by various firewalls. Generally, you will want to permit commands 0, 3, 8 and 11. Some firewalls don’t distinguish between these, so you will need to check the settings on your specific firewall. Many firewalls will already be configured for (0,3,8), so you will need to make sure the (command 11 (echo) is allowed through the firewall.
TCP Ports 135 and 445 Inbound - This is needed for Windows Management Instrumentation (WMI) which Spiceworks uses to get detailed information about Windows computers.
UDP Port 137 Inbound - This is needed so that Spiceworks can gather information from the Windows Registry.
You should enable the Remote administration exception only if your remote administration tools require RPC and DCOM. Malicious users often attempt to attack networks and computers using RPC and DCOM (For Windows Firewall - Enable or Disable the Remote Administration Firewall Rule: Windows Firewall (WF) | Microsoft Learn ). Edit or create a new Group Policy Object (GPO) and apply it to the appropriate OU. The GPO should enforce these two settings:
```
Windows Firewall: Allow remote administration exception
Windows Firewall: Allow ICMP exceptions
```
Can’t tell you how McAfee handles that, though.
UDP Port 69 Inbound - This allows Spiceworks to communicate with your networking hardware to backup/restore configurations via TFTP.
TCP 1024 - 2000 Inbound - Dynamic Ports for Windows Management Instrumentation (WMI)

What is the OS on the target computer?

22 (SSH): Used to detect Unix/Linux computers and some network devices.

Physical Computer or Virtual Machine?

80 (HTTP): Used to detect servers, VMware, and NAS devices. Also, some routers, hubs, switches, and printers can respond to HTTP. For supported devices, Spiceworks will scan the webpage to obtain any helpful information.
5800 (VNC HTTP): Used to detect if a device supports remote access using VNC.

Miscellaneous:

16992 (Intel AMT SOAP/HTTP): Used to detect vPro status. This is done by checking for an HTTP response on the port. This is editable in settings.yaml
9100 (Jet Direct): Used to detect printers.
5060 (SIP): Used to detect IP phones. For supported devices, Spiceworks will scan the webpage to obtain any helpful information.
161 (SNMP): Used to detect network devices such as printers, switches, etc.

The Spiceworks computer is on the same subnet for the settings you’re adding to McAfee for access and not separated by a VLAN or anything else that may limit exposure? or limit access rules with McAfee enabled?

Otherwise, log files may help determine exactly what’s being blocked and the Orange Guys at Spiceworks are happy to go through them for you if you email: support@spiceworks.com

hermannrowinski8023 · 2015-09-18T13:11:41.000Z

Hi V_S,

The product is McAfee Endpoint Security 10.0 using SAAS and a desktop policy to control all the machines on site.

Thanks for the reply, this is quite frustrating so I’ve got a support case with McAfee

How long does the firewall policy take to update, or can you force the update?

I dont know, on the firewall policy I turned off the firewall, updated the test machine and rebooted and it says the firewall is still enabled, so dows it even sync with the policy? very frustrating!

What is the OS on the target computer?

OS is Windows 8.1 Pro x64

Physical Computer or Virtual Machine?

Physical

Yes its in the same subnet I dont have any VLANs here.

hermannrowinski8023 · 2015-09-18T13:41:27.000Z

The machine that has the issue has not yet made contact with SAAS, this could the problem, so i’m going to leave it on over the weekend and see how things are on Monday.

Rod-IT · 2015-09-18T17:05:51.000Z

Port 135 and 137 you said are open, but make sure file and printer sharing is enabled as well.

v-s · 2015-09-19T00:44:45.000Z

Keep us posted.

chris-intel-security · 2015-09-21T15:59:32.000Z

Im keeping tabs on this post for now in case it needs to be escalated.

hermannrowinski8023 · 2015-09-22T05:31:56.000Z

UPDATE

I’ve spent about an hour on the phone with McAfee firewall tech support. Its now being escalated.

I’ve got 3 machines that I’ve recently built up and all 3 cannot be scanned by Spiceworks, they have not logged in with the SAAS interface to get the firewall settings, the update facility does not work, so its looking like something wrong with thier install.

a shortterm fix is: on each machine put the firewall into adaptive mode.

I’m supposed to be contacted by McAfee within 48 hours.

v-s · 2015-09-22T06:50:16.000Z

I hope they can get that sorted out for you with less of a headache than you’ve experienced so far.

jonm · 2015-09-28T10:21:31.000Z

Hey Split66,

Did you ever get this one figured out, or are you still having issues?

hermannrowinski8023 · 2015-09-28T10:24:38.000Z

Still having issues, I’ll be calling them this afternoon, amd hope to have an update soon.