cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

Log HIPS Firewall Connections and Query

Jump to solution

Scenario: I wish to monitor for traffic to a specific IP range outside our internet network.  I with to be able to query if someone did try to connect and show the IP of that remote network. 

I set the subnets to monitor at the top of my HIPS 8 firewall poliicy.  I accessed a web site on that network but no events were shown in my HIPS Event Log.  I suspect because we're using a proxy the traffic isn't actually being seen by HIPS on the local machine.

Any ideas how I can get this to work?

Thanks

Ken

1 Solution

Accepted Solutions
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Log HIPS Firewall Connections and Query

Jump to solution

If you have LOG ALL ALLOWED enabled in the HIPS Activity Log menu, then you should see the traffic going out from the system, however, like you said, if a browser is proxying, then the Activity Log is going to see traffic going from the client to the proxy server (not to the destination network you're monitoring).

For non-proxy traffic, you should see it going to/from the monitored networks.

FYI, just in case you aren't aware, HIPS does not generate ePO events for firewall traffic.  If you mark a Firewall rule as MARK AS INTRUSION, this will trigger Network IPS Siganture 3702 (if you have NIPS enabled).

View solution in original post

2 Replies
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Log HIPS Firewall Connections and Query

Jump to solution

If you have LOG ALL ALLOWED enabled in the HIPS Activity Log menu, then you should see the traffic going out from the system, however, like you said, if a browser is proxying, then the Activity Log is going to see traffic going from the client to the proxy server (not to the destination network you're monitoring).

For non-proxy traffic, you should see it going to/from the monitored networks.

FYI, just in case you aren't aware, HIPS does not generate ePO events for firewall traffic.  If you mark a Firewall rule as MARK AS INTRUSION, this will trigger Network IPS Siganture 3702 (if you have NIPS enabled).

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: Log HIPS Firewall Connections and Query

Jump to solution

Ok, your answer highlighted what's happening.

- When allowing and logging traffic via a firewall rule, it logs LOCALLY only in the machine HIPS activity log.  No ePO event is generated.

- When blocking and treating as intrusion, an ePO is event IS generated.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community