cancel
Showing results for 
Search instead for 
Did you mean: 
leoedias
Level 9

Connection Isolation matching error

Hi friends,

     I've configured a CAG (Connetion Aware Group) on HIPS Catalog and put some rules within it. In the configuration I've configured Description, Location and Network Options tabs in Firewall Group Builder, but it's not working.

I got this output on the FireSvc.log on the client which is a workstation running Windows 7. See the output piece below:

I'm running ePO 4.6 and HIPS 8.0.

Anyone knows how can I solve it?

*********************************************************************

**************** Calculate Effective Location Policy ****************

****** Adapter Info

Adapter #1

  IPV4 interface index = 11

  IPV6 interface index = 11

  Physical Address = 00-0c-29-2d-7a-86

  Physical medium = FW_PHYSICAL_MEDIUM_WIRED

  DNS suffix #1 =

  IP address #1 = FE80:0000:0000:0000:9C2A:A07C:7AC3:4045

  IP address #2 = 192.168.0.171

  Gateway address #1 = 192.168.0.174

  DHCP enabled = false

  No DHCP server addresses

  Has WINS = false

  No Primary WINS server addresses

  No Secondary WINS server addresses

  DNS server address #1 = 192.168.0.170

  DNS server address #2 = 8.8.8.8

Adapter #2

  IPV4 interface index = 1

  IPV6 interface index = 1

  Physical Address = 00-00-00-00-00-00

  Physical medium = FW_PHYSICAL_MEDIUM_WIRED

  DNS suffix #1 =

  IP address #1 = 0000:0000:0000:0000:0000:0000:0000:0001

  IP address #2 = 127.0.0.1

  No Gateway addresses

  DHCP enabled = false

  No DHCP server addresses

  Has WINS = false

  No Primary WINS server addresses

  No Secondary WINS server addresses

  DNS server address #1 = FEC0:0000:0000:FFFF:0000:0000:0000:0001

  DNS server address #2 = FEC0:0000:0000:FFFF:0000:0000:0000:0002

  DNS server address #3 = FEC0:0000:0000:FFFF:0000:0000:0000:0003

****** Location Info

Group "Isolation"

  Client id = 38d53aaa-356d-449d-a087-0f29fd89a971

  Requires home network = true

  Hot drop if not match = true

  Is ipv4 = true

  Is ipv6 = true

  Registry key =

  Physical medium = FW_PHYSICAL_MEDIUM_WIRED

  DNS suffix = security.lab

  Gateway = 192.168.0.174

  DNS server = 8.8.8.8

  DNS server = 192.168.0.170

****** Currently Active Locations

None of the cags matched the adapters.

**************** End of Effective Location Policy *******************

*********************************************************************

0 Kudos
5 Replies
greatscott
Level 12

Re: Connection Isolation matching error

What are you trying to do? What is it not doing that you want it to do?

Can you screenshot the firewall policy and the details of the group from within ePO? Can you also provide an ipconfig /all output from the system? Do you have IPv6 services enabled?

0 Kudos
leoedias
Level 9

Re: Connection Isolation matching error

Hi greatscott,

     I'm trying make a test using two NICs on a virtual machine. The first NIC is joined on domain (secuity.lab) by "VM Network 1" and the second NIC is connected to "VM Network 2" which is connected to another network. Both of it are wired network. My main goal to reach is make the the first NIC meet to the CAG parameters and block all traffic from the second NIC.

I've attached the scream that you asked about.

CAG Location tab.png

CAG Location TAB

Policy.png

Policy

ipconfig from client with HIPS.png

ipconfig output from client with HIPS installed

0 Kudos
greatscott
Level 12

Re: Connection Isolation matching error

Ok, so packets from NIC 2 are being permitted? Are you in regular protection mode for the firewall, and not in any adaptive or learn modes?

0 Kudos
McAfee Employee

Re: Connection Isolation matching error

Your system does not have the correct Connection-specific DNS suffix (security.lab).

****** Adapter Info

Adapter #1

  IPV4 interface index = 11

  IPV6 interface index = 11

  Physical Address = 00-0c-29-2d-7a-86

  Physical medium = FW_PHYSICAL_MEDIUM_WIRED

  DNS suffix #1 =

****** Location Info

Group "Isolation"

  Client id = 38d53aaa-356d-449d-a087-0f29fd89a971

  Requires home network = true

  Hot drop if not match = true

  Is ipv4 = true

  Is ipv6 = true

  Registry key =

  Physical medium = FW_PHYSICAL_MEDIUM_WIRED

  DNS suffix = security.lab

0 Kudos
leoedias
Level 9

Re: Connection Isolation matching error

Hi Kary,

All of the fields must meet the criteria? Just one or two fields wouldn't enough?

0 Kudos