I just need a confirmation that in ePO is not possible to see any HIPS Firewall activities.
My customer would like to see only blocks activities in the Threat Events but as far as I know, this is not possible.
Can you please confirm?
Thanks a lot
It is possible to configure the HIPS FW to send events back to ePO but it's on a rule by rule basis. I would never recommend that all rules be configured to send events back to ePO unless you want to see fireworks.
It is not possible to get HIPS Firewall events to ePO.
When you mark a Firewall as "Treat as Intrusion", you're actually triggering a Network IPS Signature 3702 event violation (and if the IPS Option "Automatically block network intruders for X minutes" is enabled, can block the offending IP address). This requires this signature and Network IPS to be enabled. An intrusion event and Firewall activity event (in the HIPS ClientUI Activity log) are similar, but they do not contain all the same information. This also only works for BLOCKED FW rules too; there is no way to log ALLOW events in the Firewall. If you're trying to gather Firewall activity log events (BLOCK and/or ALLOW) to the ePO server, it is not possible in Host IPS 7 or 8.