SNS ProTip for Host IPS: Troubleshooting network facing applications and collecting ETL logs

Version 1

    When troubleshooting network traffic blocks for the Host IPS firewall, first disable the firewall module and see if the issue goes away. If it does, re-enable the firewall module, but allow all the traffic through by creating an allow-all rule for all protocols, allowing unsupported protocols, disabling Trusted Source, and disabling IP spoof check on the policy pushed out to the system.


    If the issue no longer occurs, the issue is likely with one or more missing or misconfigured firewall rules.


    See Knowledge Base article KB67055 ( for instructions on disabling the firewall, allowing all traffic, and troubleshooting firewall rules.


    If the issue still occurs with the firewall module disabled, leaving the firewall module as is, put FireCore in PassThru mode. If the issue no longer occurs, take FireCore out of PassThru mode and collect the ETL logs along with collecting the MER output.


    KB75917 — How to enable Host Intrusion Prevention 8.0 fwPassThru mode ( explains how to disable and enable Firecore in PassThru mode.


    KB72868 — How to collect event trace logs for Host Intrusion Prevention 8.0 for Windows ( provides information on collecting ETL logs.


    If the issue still occurs with FireCore in PassThru mode, open a Service Request with Host IPS Technical Support and provide your test results. 


    For more resources, visit the ServicePortal and search for related content. Also, visit the McAfee Host IPS Community:


    McAfee SNS ProTips help you maximize your protection with troubleshooting, best practices, how-to tips, and links to Knowledge Center resources. To unsubscribe from ProTips or change your SNS settings, visit the SNS Subscription Center.