I'm testing HIPS as a potential replacement for our Symantec client firewall.
We want to be able to allow for all traffic on clients when they are in-office at one of our locations of business. I've figured out how to create a location aware group in the ePO policies for HIPS, but how can i turn off the firewall when a client matches the in-office requirements?
I guess a couple options come to mind:
1. If those clients are on a specific IP range while in-office, you could create a new group in your system tree, filter the group for that IP range or tagging, then assign a IPS/FW policy to that specific group to allow all traffic or just plain out turn off the IPS/FW.
2. You can create a location aware group in your FW rules to allow any/any on a specific DHCP/DNS/Gateway/etc. if those clients are on a specific DHCP/DNS/Gateway/etc. while in-office.
Well I don't think we have option in HIPS but you can try to do it through ePO server task.
1. First create a query for list of workstations based on subnet address which is used during connected to office network.
2. Create a ePO server task and select Run Query and select query which is created on step one.
3. Now under sub action select assign policy and assign HIPS disable policy with additional sun action = Wake up agents so those machines will get HIPS disable policy ASAP.
4. On schedule part you can run it on every 1 hour based on your comfortable.
Hope this can help you.
I'm not too keen on moving my machines around inside ePO based on their IP addresses. I like to keep my clients location in ePO static, due to our Drive Encryption setup.
And i now realise that i cannot disable HIPS completely since this requires a different policy on the group that my clients are located in.
So, my best bet is to create a location aware group and allow any/any when the clients match that location.
I've tried to achieve this, but with limited success. This is a view of my location aware group:
The 'In Office - XXX' groups are location aware (they are setup with DHCP, DNS and DNS suffix for each of my sites). My goal is to allow all traffic when clients fall into these groups, which is why i've created the 'BN - Allow all traffic' rule below the location aware group which allows for all traffic in either direction for the local networks defined (all my internal networks). However, when i look in the activity log of my test client, it seems to be blocking a whole lot of traffic based on the location aware group "rule" (which isnt a rule, but a group). As i can't set a 'Allow' or 'Block' action on the location aware group, i would think that traffic would not be evaluated against the group, but only against the sub-rules of the group.
Any idea as to what i'm doing wrong?
Thanks for your help guys.
Are you sure your test client has a DNS server IP that is specifically outlined in the local network group? If your test machine cannot get to a DNS server that is listed in the local network, it won't work.
We have certain machines that are not on a domain, and have no DNS server, so we use their Default Gateway IP as the local network. I know once before I accidentally typed in a wrong IP for the default gateway and it was blocking everything as in your screenshot, and once I finally corrected it, traffic flowed fine.
Thanks for your reply.
I had already added all the local subnets we use at our location to the network location. My client resides in the X.X.100.0/24 subnet, and my servers (including DHCP and DNS servers) are located in the X.X.110.0/24 subnet. So I guess this should be OK?
I've added the same local networks to both the location specific group and the 'Allow all traffic' rule residing inside the group (se screenshots)
I have a real hard time seeing what I'm doing wrong here. Adding DNS server IP addresses to the local networks does not make a difference - traffic is still being blocked by HIPS.
It looks like you have it setup correctly. What specific FW rule is your test client tripping on?
If you look at the HIPS gui on the test client and export the results to a .txt, open that up or take a look at C:\ProgramData\McAfee\Host Intrusion Prevention\HipShield.log. Find the specific rule its tripping over and obviously that is your culprit.
Could you provide the rule its tripping over? I would also start by creating a new policy with only one CAG, for your test client, to make sure none of those other rules in your FW table are interfering for some reason.
The log says that 'In Office - BNK/BNH' is blocking the traffic. This is the name of my location aware group. But since the group cannot be configured with 'allow' or 'deny', I have a hard time understanding why traffic is being blocked at thislevel? I would assume that my client would just evaluate which group it should look in for rules and then look further down into the rules that are defined under each group and then evalutate traffic against them.
It definitely doesnt like something. It seems like it is not resolving whatever is in your LAG rule - meaning the DCHP/DNS server IP's you have entered. Or its conflicting with another rule, but that doesnt seem to be the case.
Maybe try deleting your DCHP/DNS servers and try entering just the default gateway IP of your test client, in a new test policy for a LAG rule, apply it to your test agent and see if it works?
Its definitely coming from your "In Office - BNK / BNH" rule.. so something in there is just not resolving correctly.