Windows Firewall Rules for Trellix ePO in OT and ICS Environments

Trellix ePolicy Orchestrator (ePO) is a centralized security management platform widely used across industrial, enterprise, and critical infrastructure environments. It provides a single, unified console to deploy, configure, monitor, and enforce security policies across a broad range of Trellix products.

This centralized approach is particularly valuable in industrial and OT environments, where local access to systems is limited and all changes must be controlled, audited, and fully traceable. Through ePO, administrators can manage and monitor Endpoint Security (ENS), Application and Change Control, Application Control (ACC), Data Loss Prevention (DLP) and other range of products.

Why Firewall Configuration Is Critical for Trellix ePO

In Operational Technology (OT) environments, system stability and availability always take priority. For this reason, it is common to see Windows Defender Firewall fully disabled across all profiles — Domain, Private, and Public. This practice helps avoid unexpected communication issues, latency, or service disruption on critical systems.

However, real-world OT deployments do not always remain this simple.

Due to regulatory requirements, cybersecurity audits, or corporate IT governance, customers may request that Windows Defender Firewall be enabled, even on systems running Trellix ePolicy Orchestrator (ePO).

How Windows Firewall Impacts Trellix ePO

Trellix ePO relies on multiple services and executables working together, including:

• Apache web services
• Tomcat application services
• Event parsing services
• Database communication (Microsoft SQL)
• Agent-to-server communication over specific ports

When Windows Defender Firewall is enabled without proper allow rules, these components can be silently blocked, resulting in:

• ePO console access issues
• Agent communication failures
• Missing events and reporting gaps

Windows Firewall Requirements for Trellix ePO

When Windows Defender Firewall is enabled on an ePO Application Server, you must create Inbound Rules to allow the required Trellix components to function correctly.

Required ePO Executables to Allow

The following executables should be explicitly allowed through Windows Defender Firewall.

ePO Application Server (Tomcat)

Path:

%ProgramFiles% (x86)\McAfee\ePolicy Orchestrator\Server\bin\tomcat9.exe

Purpose:

• Handles ePO console access
• Processes agent communication
• Manages policy distribution

Firewall Rule Type:

• Inbound Rule
• Allow the connection
• Apply to Domain and Private profiles (Public only if required)

ePO Event Parser

Path:

%ProgramFiles% (x86)\McAfee\ePolicy Orchestrator\EventParser.exe

Purpose:

• Parses and processes events sent by agents
• Essential for dashboards, alerts, and reporting

Without this rule:

• Events may not appear in ePO
• Compliance and visibility can be impacted

ePO Server (Apache Web Server)

Path:

%ProgramFiles% (x86)\McAfee\ePolicy Orchestrator\Apache2\bin\Apache.exe

Purpose:

• Handles HTTPS communication
• Serves the ePO web interface
• Acts as a communication gateway for agents

Blocking Apache is one of the most common reasons ePO becomes unreachable after firewall enablement.

ePO Database Communication (Microsoft SQL)

Allow inbound traffic to the SQL Server port used by ePO.

Common Ports:

• TCP 1433 (default SQL Server)
• Custom ports if configured

Purpose:

• Enables ePO to store events, policies, and system data
• Required for reporting and console access

Step-by-Step: Creating Windows Defender Firewall Rules

1. Open Windows Defender Firewall with Advanced Security
2. Select Inbound Rules
3. Click New Rule
4. Choose Program
5. Browse to the executable path (for example, tomcat9.exe)
6. Select Allow the connection
7. Apply the appropriate profiles (Domain / Private)
8. Name the rule clearly

Repeat these steps for each required executable.

How to Enable Windows Defender Firewall Logging for Troubleshooting

When enabling Windows Defender Firewall in OT and ICS environments, it is strongly recommended to enable firewall logging. This allows engineers to identify dropped packets and quickly determine whether Trellix ePO services are being blocked.

Firewall logs are especially useful when:

• ePO agents stop communicating
• The ePO console becomes unreachable
• Events are not appearing in dashboards
• SQL communication fails unexpectedly

Step-by-Step: Enable Firewall Logging

Follow these steps to log dropped packets:

1. Open the Windows Firewall Console

Control Panel → Windows Defender Firewall → Advanced Settings

2. In the left pane, select Windows Defender Firewall with Advanced Security
3. Right-click and select Properties
4. Select the appropriate Profile (Domain, Private, or Public)
5. In the Logging section, click Customize
6. In the Log dropped packets drop-down, select Yes
7. Click OK to apply the changes

Firewall Log Location

The Windows Defender Firewall log file is located at:

C:\Windows\System32\LogFiles\Firewall\pfirewall.log

This log records:

• Dropped inbound packets
• Dropped outbound packets
• Source and destination IP addresses
• Ports involved in the communication

By reviewing this file, engineers can verify whether Trellix ePO services, SQL ports, or agent communication ports are being blocked by the firewall.