cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS Firewall Events in ePO

Hello All,

I just need a confirmation that in ePO is not possible to see any HIPS Firewall activities.

My customer would like to see only blocks activities in the Threat Events but as far as I know, this is not possible.

Can you please confirm?

Thanks a lot

Matteo

2 Replies

Re: HIPS Firewall Events in ePO

It is possible to configure the HIPS FW to send events back to ePO but it's on a rule by rule basis.  I would never recommend that all rules be configured to send events back to ePO unless you want to see fireworks.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: HIPS Firewall Events in ePO

It is not possible to get HIPS Firewall events to ePO. 

When you mark a Firewall as "Treat as Intrusion", you're actually triggering a Network IPS Signature 3702 event violation (and if the IPS Option  "Automatically block network intruders for X minutes" is enabled, can block the offending IP address).  This requires this signature and Network IPS to be enabled.  An intrusion event and Firewall activity event (in the HIPS ClientUI Activity log) are similar, but they do not contain all the same information.  This also only works for BLOCKED FW rules too; there is no way to log ALLOW events in the Firewall.  If you're trying to gather Firewall activity log events (BLOCK and/or ALLOW) to the ePO server, it is not possible in Host IPS 7 or 8.