I’m attempting to enable McAfee HIP Firewall 8.0 on a series of machines configured as network sensors and I am having some difficulty creating a firewall rule to allow the sensor NICs to see all traffic, while enabling the firewall on the rest of the NICs. The sensor NICs are located behind network taps and are able to receive data, but cannot transmit.
Wireshark is one of the applications in use, but after adding a firewall rule allowing the Wireshark executable to receive data on any port from any host, the Activity Log shows that no application is associated with that traffic, so the rule is ineffective. I’ve tested some workaround ideas with mixed results.
Allowing traffic selectively on network adapters that are connected to a network tap via a connection aware group. This is tricky because using an IP alone as the group criteria does not seem to be effective, and though it does work when additional information such as the default gateway or DNS is specified, these settings have the potential to disrupt external connectivity.
Creating a rule to block traffic addressed to the local network adapter, then creating an "allow all" firewall rule directly below to allow the reception of traffic directed to other hosts. This works, but there seems to be some additional risk from the “allow all” rule.
Add the sniffing application to the Trusted Applications group. This does not seem to work, because the HIP firewall doesn't associate the traffic with the application.
Is there a best practice for applying separate firewall rules to different NICs in the same machine?