cancel
Showing results for 
Search instead for 
Did you mean: 
kjhurni
Level 9

HIPS 8.0 firewall logging to EPO server?

Please tell me that there's a way to have the McAfee HIPS (we have the EPO 4.6.x server, with the McAfee agent, HIPS, and VSE 8.8 on the machines) report back firewall logging activities?

We're in the process of tuning (for lack of a better word) what firewall holes we may need to open (we have thousands of machines with different software, etc.)

Our old security product (Cisco CSA) had the ability to report back everything to the server (blocked/allowed/monitored, etc.)

All I could find was an old post on these forums from 2011 indicating that you could not do this, but instead had to visit each machine (or rdp/remote control each machine) to upload the logs.  REALLY?

So I'm hoping that this has been changed.

I think even the crummy MS firewall and integration with Forefront or whatever has this ability and supposedly HIPS is a higher level product than simple firewall/app whitelisting.

16 Replies
McAfee Employee

Re: HIPS 8.0 firewall logging to EPO server?

Please tell me that there's a way to have the McAfee HIPS (we have the EPO 4.6.x server, with the McAfee agent, HIPS, and VSE 8.8 on the machines) report back firewall logging activities?


This functionality does not exist in the McAfee Host IPS product.  HIPS Firewall events/activity are not sent to ePO.

0 Kudos
kjhurni
Level 9

Re: HIPS 8.0 firewall logging to EPO server?

Thanks for the info. Guess it's time to start looking at other vendor's security products then.

0 Kudos
andrealves
Level 7

Re: HIPS 8.0 firewall logging to EPO server?

Sorry for ressurecting this old thread. Is this still true? I'm looking for a way to see, from ePO, what connections/applications are blocked by the firewall/IPS.

0 Kudos
McAfee Employee

Re: HIPS 8.0 firewall logging to EPO server?

The current HIPS 8.0 version does not have functionality to log firewall events to ePO.  You will have to go local to the system and review the HIPS Activity log (in the HIPS ClientU - McAfeeFire.exe) for blocked/allowed Firewall events.  Please submit a PER if you'd like to request this functionality in a future version.

KB60021 - Information about Product Enhancement Requests for McAfee products

https://kc.mcafee.com/corporate/index?page=content&id=KB60021

0 Kudos
maxsteel12
Level 7

Re: HIPS 8.0 firewall logging to EPO server?

The Firewall rule which you need to monitor for a specific or multiple system.

Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.

Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.

Send a wake up agent and you will be able to see the firewall logs on ePO console.

**Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**

0 Kudos
er587
Level 7

Re: HIPS 8.0 firewall logging to EPO server?

K,

I had the same problem a few months ago. I worked through my sales rep to show product mangers the gap in the HIPS product. After some long discussions, they finally came to realize this gap needed to be filled. Of course, it was kind of hard to change the product to include all the firewall events (Sophos doesn’t do it either), but we are happy to accept the middle ground. Then McAfee release a community tool called Threat Activity Tracer(TAT).

The tool basically sends a user defined set of firewall logs prior to a VSE or HIPS event.  This allows you to get all the activity prior to asecurity event.

https://community.mcafee.com/docs/DOC-4231 -- Great Job Torry!!

A good use case that I'm testing..  With a HIPS application firewall rule allow JAVA to outbound to any, and then you add the FW log option specific to the TAT tool. You get hit with a drive by download using JAVA. The McAfee agent uploads the 5 prior firewall permits tagged with the JAVA rule.  Then you correlate this information with other security information in your environment, cross check whitelist host, and potentially create an automated response or risk score. This information now aids in your security intelligence. Additionally, using the WebAPI in 4.6, you can cross check these IP’s with known or new potential bad hosts on a periodic basis.  Pretty cool…

kjhurni
Level 9

Re: HIPS 8.0 firewall logging to EPO server?

Thanks for the information. 

Yes, I'm shocked that HIPS (even sold JUST as a firewall) doesn't natively have the ability to report these things back to the EPO server.  Unfortunately McAfee is horribly slow about responding to customer requests (I remember 8.5 and 8.7 betas where people were still asking for stuff that they'd asked for 3+ years earlier and McAfee turned a deaf ear to the whole thing).

But I'll pass the info along.

We may still end up looking at other products as this is quite disappointing.  It shouldn't be hard to change the product to log these things.  If it can log locally, it should be able to send these events back via the McAfee agent to the database, but if McAfee can't figure that out, then we probably don't want to use their products anymore.

0 Kudos
greatscott
Level 12

Re: HIPS 8.0 firewall logging to EPO server?

logging all traffic captured on the firewall would be cool, but not really feasable. there is alot of traffic and i wouldnt expect ePO to be able to handle it all. ePO has its shortcomings, but remember that it manages alot more than just the HIPS Firewall.

0 Kudos
kjhurni
Level 9

Re: HIPS 8.0 firewall logging to EPO server?

Yes, EPO does more than that (well it CAN)--just depends on the products you use.  Plus, if it's able to do it, you can filter the events (like in VSE 8.8 or was it newer versions of ePO, McAfee changed the default notifications so that it didn't report like "scan took too long, timed out" events)

At least then we could say, report blocked incoming ports (vs. outgoing), etc.

0 Kudos