I already finish to build the policy of the HIPS FW.
Now I have a problem, I have an application that could not work because the HIPS FW block it, But there is a rule in the policy(on the ePO and on the client) that premit his action and in the activity log a can see it block.
If i enter the HIPS console localy and i add to the FW a learning mode(Outgoing&Incoming) the application work properly and i don't get any popup questions from the learing mode if I want to allow or not then action.
Does any one encountered such problem?
Not 100% sure what the issue actually is.
But when creating your own policy you need make sure that any allow rule for this application/port are above Deny rules.
Rules are read top to bottom and the first rule it matches then that is the rule applied.
Ok but do you have an allow rule?
If the traffic cannot be matched against an existing rule, it is automatically blocked "unless the firewall is operating in learn mode or adaptive mode"Message was edited by: IanH on 14/12/10 11:55:34 GMT
I have an allow rule, that why in learning mode I don't get any pop-up request(if i allow or not).
In learing mode the Hips recognize that there is an exist rule, but in "On mode" the HIPS don't recognize it.Message was edited by: shay4a on 12/14/10 3:19:27 PM GMT+02:00
Ok, it might be worth uploading a screen shot of your rule, because this sounds like it should just work.
I have never had a problem like this because as long as a rule exists that matches the criteria you will get the correct results.
When you create your rule, make sure the protocol , direction and ports are set correctly. Sometimes people accidentally click on the radio button for "Match by fingerprint" and put in no fingerprint and this will cause the rule to not work.
Try to pay attention to this section. You can use path then fingerprint or path only.
Take a screenshot of the allow rule, and another screenshot of your all your firewall rules. Then we can help you better.
Hi, yes a screenie could give more insight. However when it works in learn mode then there should be a rule created from the local client which makes it work. When reporting the learned Rule in ePO it could be added to an existing ruleset and modified/renamed.