I turned on the HIPS Firewall on adaptive mode and pointed it to a group with 5 workstations. It's been on for aboutn 4 days now, but I have not seen any rules created on the HIPS IPS, Firewall Client Rules tab. I found two articles from the knowledge base and I followed the instructions as far as making sure certain settings are applied -- no luck. I also ran the Host IPS Property Translator task, just in case, still nothing.
I found an article from the knowledge base about rules not porting to the epo server but its for epo3.6 and i'm running epo 4.0 and hips 7.0 patch 6. The article said that sometimes the rules can take up to 4-5 days before they show up on the epo server..
BTW, how can I check if the target device has any/created firewall rules if its on adaptive mode.
I'm out of ideas. I really really appreciate the help!
how can I check if the target device has any/created firewall rules if its on adaptive mode.
1. Check locally on the client system and see if any "Dynamically created rules" appear on the local system.
2. Check the client's node properties in the ePO database. In the Host IPS property section, you should see ClientPolicy section that contains the locally created rules, named FirewallRule#. You can create the locally to test this. Just create a rule, perform a McAfee Agent ASCI, then check the properties. Nothing else has to be done to get this part to work.
The HIPS Property Translator task will take the node property rules and convert them to Client Rules in the Host IPS Reporting section.
If you don't see the ClientPolicy section in the node properties, make sure your McAfee Agent policy is set to Send Full Product Properties, not Minimal properties. This is required. This whole process will not work if you are collecting Minimal properties only. See KB58949.
the Send Full Product Properties box is checked on the Mcafee Agent policy that i'm using. one thing I noticed is that inside the Activity Log, i'm getting events that show:
IP Address/User: 0.0.0.0
Message: Blocked Incoming Non-IP Protocol : 0x40
i checked the "allow unsupported protocol" box but the same message keeps logging and i still don't see anything show up on the firewall client rules tab.
thanks for the response.
The Blocked Incoming Non-IP Protocol : 0x40 message is for non-IP based traffic being blocked by the NDIS drivers, not the Firewall. The Firewall cannot build rules for these protocols. This is as designed.
Check out PD20748 as well for Adaptive Mode functionality and when it can/can't learn network traffic.
You can create a rule for protocol id 40 but the bigger question is what a depracated protocol is doing on the wire? I'd probably want to sniff the traffic and peak a closer look at it.
Actually, yes you can for this. Protocol 40 is IL Transport Protocol, which is in our Firewall protocol list. But you have to match the protocol number and name together, like: http://support.microsoft.com/kb/289892.
Thanks Kary for the clarification. You can't just type in the protocol id as you can in HIPS 8. You have to select "IL" from the "Transport Protocol" pull down menu in the 'Firewall rule editor' window.
Thanks for the information...I'll have to do more digging about the "non-ip" message. Also, from the adaptive mode document, one of the bullets stated that HIPS firewall rules will not be created if no user is logged on to the machine. I have to check if the test machines are actually being used...that might be why...we don't have a CAG policy so it can't be that..i'll post my "findings" as soon as I know more.
I am currently implementing HIPS as well, EPO 4 P7 HIPS 7.0 (Build 1159) I am having the same issue I have run the Translator job with rules created and its not translating back to my EPO server, I have checked the EPO agent and its sending the full properties back to the server as I have seen noted in other posts about this issue. I am going to leave the translator job running over the next few days and will assess then but interested to see if anybody has solved this problem?
Thanks in advance!
The Host IPS Property Translator task in the ePO console should not be enabled and scheduled to run on a recurring basis. This Property Translator task already runs within the ePO database itself, every 15 minutes. The server task in the ePO console is only meant to be run for On-demand property translation, when you can't wait for the next 15min run time.