cancel
Showing results for 
Search instead for 
Did you mean: 
kenobe
Level 10

Log HIPS Firewall Connections and Query

Jump to solution

Scenario: I wish to monitor for traffic to a specific IP range outside our internet network.  I with to be able to query if someone did try to connect and show the IP of that remote network. 

I set the subnets to monitor at the top of my HIPS 8 firewall poliicy.  I accessed a web site on that network but no events were shown in my HIPS Event Log.  I suspect because we're using a proxy the traffic isn't actually being seen by HIPS on the local machine.

Any ideas how I can get this to work?

Thanks

Ken

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Log HIPS Firewall Connections and Query

Jump to solution

If you have LOG ALL ALLOWED enabled in the HIPS Activity Log menu, then you should see the traffic going out from the system, however, like you said, if a browser is proxying, then the Activity Log is going to see traffic going from the client to the proxy server (not to the destination network you're monitoring).

For non-proxy traffic, you should see it going to/from the monitored networks.

FYI, just in case you aren't aware, HIPS does not generate ePO events for firewall traffic.  If you mark a Firewall rule as MARK AS INTRUSION, this will trigger Network IPS Siganture 3702 (if you have NIPS enabled).

0 Kudos
2 Replies
McAfee Employee

Re: Log HIPS Firewall Connections and Query

Jump to solution

If you have LOG ALL ALLOWED enabled in the HIPS Activity Log menu, then you should see the traffic going out from the system, however, like you said, if a browser is proxying, then the Activity Log is going to see traffic going from the client to the proxy server (not to the destination network you're monitoring).

For non-proxy traffic, you should see it going to/from the monitored networks.

FYI, just in case you aren't aware, HIPS does not generate ePO events for firewall traffic.  If you mark a Firewall rule as MARK AS INTRUSION, this will trigger Network IPS Siganture 3702 (if you have NIPS enabled).

0 Kudos
kenobe
Level 10

Re: Log HIPS Firewall Connections and Query

Jump to solution

Ok, your answer highlighted what's happening.

- When allowing and logging traffic via a firewall rule, it logs LOCALLY only in the machine HIPS activity log.  No ePO event is generated.

- When blocking and treating as intrusion, an ePO is event IS generated.

0 Kudos