Has anyone ran across an issue where a system continues to receive blocks on the firewall, when there are already rules to permit the activity?
For example, the user has a firewall policy with a CAG in it. Within the CAG is an allow all. The criteria of the CAG was met, by being within a certain IP range. The traffic is typical IP traffic for 389, 445, etc. This system was recently upgraded to HIPS 8. The product was also removed (with the HIPS ripper tool), then reinstalled fresh and still continues to display this behavior.Message was edited by: greatscott on 12/19/13 7:31:46 AM CST
Verify the system is matching the CAG properly. Enable debug logging, review the Firesvc.log file, and look for "Currently Active Locations". Verify the adapter matches the CAG and also the network traffic is coming in/out of that specific adapter & IP address.
Any idea on how to open the firesvc.log file after its been in logging for awhile? When the log viewer opens, it completely bombs out, im assuming from the log size.