I have hips 7.0 patch 2. I am having a problem with hips blocking allowed traffic. For example i put the firewall in adaptive mode, i run up outlook and do a send/recieve which works and i can see the allow rules created for outlook (says learned for pop3-110). If i leave the firewall in adaptive mode and hit more send/recieves it completes without error. As soon as i turn off adaptive mode outlook send/recieve is blocked and it appears in the log as being blocked?
Am i missing something here? Doesnt the adaptive mode basically create an allow rule for whatever happens while it is on and when it is turned off it maintains the rules it created and blocks anything not specifically allowed?
Firewall Adaptive or Learn mode is an "aid" to firewall rule tuning. In some cases, adaptive mode may not correctly learn the traffic.
There's been some changes around this area in HIP 7.0 patch 4 which was just released 3/11/09 and is now available on the McAfee download site with your valid grant#.
I would suggest retesting this with patch 4 applied. If there is still a problem, obtain 2 network traces (1 with fw off & 1 with fw on). Compare the 2 sniffs to determine the what traffic is missing. Manually add a rule for the traffic to your policy and retest.
If you determine there is a bug or you still have an issue, open a ticket with McAfee support.