Although I agree disabling learn/adaptive in your production ruleset is recommended, we should not have to resort to using 3rd party tools such as wireshark or netmon. These learn modes are specifically for this purpose - to learn and create rules properly, allowing granularity with signer signatures if needed.
In my environment I normally have learn disabled, however, for a select few tech users, I enable it for the purpose of picking up rules that need to be added to the prod policy. This is not possible with P2 as I simply cannot run it in this mode.
we have the same problem, after upgrading to Patch 2. Why release a patch 2 that makes everything worse ?
We have to use adaptive mode, cause of a Juniper client installer, that updates the laptops automatically. This is so unresponsible, a shame our entreprise uses this crappy products. (and btw: the tray icon also takes miiinutes to appear...)
edit: the firesvc process takes 1 whole cpu core, if you have a dual or quadcore computerMessage was edited by: phreeze on 2/28/13 7:14:51 AM CST
a week ago we got a well-working hotfix for this patch. It finally only took half a year to develop a not-that-buggy POC-version of it, though.
Anyway, as it has been released (see https://kc.mcafee.com/corporate/index?page=content&id=KB74505), you would need to raise a service request to McAfee Support and ask for the hotfix.
Have you seen this KB article? https://kc.mcafee.com/corporate/index?page=content&id=KB71230 I plan to test it in my environment and see what happens.
The mcafee default HIPS firewall policy is nothing like my current policy, think its because my current policy is an upgrade from 7 rather than starting new.
Glad to hear its not just me having fun with Juniper...
i've seen it, but i haven't got this problem.
My firesvc log doesn't contain any blocked connection. I didn't configure any blocks beside the standard rules too.
I entered a ticket for that POC.... dont seem very keen to give it to me without a MER and print screen of one of the errors.
going to do some testing with that loop back rule and see if that improves VPN connectivity and performance for the systems that were facing it.
yes, they always want a MER report, which often says nothing...
i had a problem with a Kingston encrypted drive and a HP Laptop which had a bitlocker encrypted C: partition, and only that C: partition. with the HIP firewall on, the kingston stick wasnt detected anymore after replugging it (only after a dirty remove of the USB stick it was redetected. by using shutdown the kingston tool, the drive wasnt detected anymore cause windows couldnt load/unload the driver...)
i've opened a ticket too, i hope they don't want a MER report, cause i have to add policies in EPO again, which is a pain ...
Yeah my response was that all of their KB articles mention to try this hotfix roll up, but they would rather I apply policies to a machine to break it just to run an MER.... how is that a good use of anyone's time!
just to notice: we got the patch and it solved the Firewall CPU problem. I wonder why we have to ask support and why they do not release it as is...
Does someone know when the hotfix mentionned in this post ( Host Intrusion Prevention 8.0.0 Patch 2 Hotfix Rollup 803520 ) will be Public and seen into the EPO software manager module ?