cancel
Showing results for 
Search instead for 
Did you mean: 
DPE
Level 7
Report Inappropriate Content
Message 1 of 9

FIPS in ePO - How to turn off firewall when in-office

Hi,

I'm testing HIPS as a potential replacement for our Symantec client firewall.

We want to be able to allow for all traffic on clients when they are in-office at one of our locations of business. I've figured out how to create a location aware group in the ePO policies for HIPS, but how can i turn off the firewall when a client matches the in-office requirements?

Thanks!

8 Replies

Re: FIPS in ePO - How to turn off firewall when in-office

I guess a couple options come to mind:

1. If those clients are on a specific IP range while in-office, you could create a new group in your system tree, filter the group for that IP range or tagging, then assign a IPS/FW policy to that specific group to allow all traffic or just plain out turn off the IPS/FW.

2. You can create a location aware group in your FW rules to allow any/any on a specific DHCP/DNS/Gateway/etc. if those clients are on a specific DHCP/DNS/Gateway/etc. while in-office.

Reliable Contributor ansarias
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: FIPS in ePO - How to turn off firewall when in-office

Well I don't think we have option in HIPS but you can try to do it through ePO server task.

1. First create a query for list of workstations based on subnet address which is used during connected to office network.

2. Create a ePO server task and select Run Query and select query which is created on step one.

3. Now under sub action select assign policy and assign HIPS disable policy with additional sun action = Wake up agents so those machines will get HIPS disable policy ASAP.

4. On schedule part you can run it on every 1 hour based on your comfortable.

Hope this can help you.

DPE
Level 7
Report Inappropriate Content
Message 4 of 9

Re: FIPS in ePO - How to turn off firewall when in-office

Hi guys,

I'm not too keen on moving my machines around inside ePO based on their IP addresses. I like to keep my clients location in ePO static, due to our Drive Encryption setup.

And i now realise that i cannot disable HIPS completely since this requires a different policy on the group that my clients are located in.

So, my best bet is to create a location aware group and allow any/any when the clients match that location.

I've tried to achieve this, but with limited success. This is a view of my location aware group:

15-09-2014 10-48-13.bmp

The 'In Office - XXX' groups are location aware (they are setup with DHCP, DNS and DNS suffix for each of my sites). My goal is to allow all traffic when clients fall into these groups, which is why i've created the 'BN - Allow all traffic' rule below the location aware group which allows for all traffic in either direction for the local networks defined (all my internal networks). However, when i look in the activity log of my test client, it seems to be blocking a whole lot of traffic based on the location aware group "rule" (which isnt a rule, but a group). As i can't set a 'Allow' or 'Block' action on the location aware group, i would think that traffic would not be evaluated against the group, but only against the sub-rules of the group.

15-09-2014 10-59-27.bmp

Any idea as to what i'm doing wrong?

Thanks for your help guys.

/David

Re: Re: FIPS in ePO - How to turn off firewall when in-office

Are you sure your test client has a DNS server IP that is specifically outlined in the local network group? If your test machine cannot get to a DNS server that is listed in the local network, it won't work.

We have certain machines that are not on a domain, and have no DNS server, so we use their Default Gateway IP as the local network. I know once before I accidentally typed in a wrong IP for the default gateway and it was blocking everything as in your screenshot, and once I finally corrected it, traffic flowed fine.

DPE
Level 7
Report Inappropriate Content
Message 6 of 9

Re: Re: FIPS in ePO - How to turn off firewall when in-office

Hi,

Thanks for your reply.

I had already added all the local subnets we use at our location to the network location. My client resides in the X.X.100.0/24 subnet, and my servers (including DHCP and DNS servers) are located in the X.X.110.0/24 subnet. So I guess this should be OK?

I've added the same local networks to both the location specific group and the 'Allow all traffic' rule residing inside the group (se screenshots)

I have a real hard time seeing what I'm doing wrong here. Adding DNS server IP addresses to the local networks does not make a difference - traffic is still being blocked by HIPS.

Any ideas?

/David

Re: FIPS in ePO - How to turn off firewall when in-office

It looks like you have it setup correctly. What specific FW rule is your test client tripping on?

If you look at the HIPS gui on the test client and export the results to a .txt, open that up or take a look at C:\ProgramData\McAfee\Host Intrusion Prevention\HipShield.log. Find the specific rule its tripping over and obviously that is your culprit.

Could you provide the rule its tripping over? I would also start by creating a new policy with only one CAG, for your test client, to make sure none of those other rules in your FW table are interfering for some reason.

Highlighted
DPE
Level 7
Report Inappropriate Content
Message 8 of 9

Re: FIPS in ePO - How to turn off firewall when in-office

The log says that 'In Office - BNK/BNH' is blocking the traffic. This is the name of my location aware group. But since the group cannot be configured with 'allow' or 'deny', I have a hard time understanding why traffic is being blocked at thislevel? I would assume that my client would just evaluate which group it should look in for rules and then look further down into the rules that are defined under each group and then evalutate traffic against them.

Re: FIPS in ePO - How to turn off firewall when in-office

It definitely doesnt like something. It seems like it is not resolving whatever is in your LAG rule - meaning the DCHP/DNS server IP's you have entered. Or its conflicting with another rule, but that doesnt seem to be the case.

Maybe try deleting your DCHP/DNS servers and try entering just the default gateway IP of your test client, in a new test policy for a LAG rule, apply it to your test agent and see if it works?

Its definitely coming from your "In Office - BNK / BNH" rule.. so something in there is just not resolving correctly.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community