cancel
Showing results for 
Search instead for 
Did you mean: 
casscoss
Level 7

Report against Firewall rule that is set to LOG

I have several rules where logging is enabled. I would like to know if it ispossible to report or run a query against the logged events.

For example I have a timed rule that opens access to the end user. Thepurpose is to allow sufficient time for the user to establish a VPN connection.However I am sure some users will still keep re-activating the allow time basedrule so that they can surf and whatever else.

I would like to be able to report against the rule, to see how many timesusers have activated it. Or even better notify if the rule was activatedgreater than “X” amount of time with a certain time window.

Thanks in advance

0 Kudos
2 Replies
allamiro
Level 9

Re: Report against Firewall rule that is set to LOG

First you need to post what ePO version are you using I m using 45 so I will give instructions based on that

I m thinking it might be possible to create a custom query to obtain your firewall logs for specfic users and computers that are assigned to that policy I m testing it now and I will let you know

0 Kudos
McAfee Employee

Re: Report against Firewall rule that is set to LOG

casscoss wrote:

I have several rules where logging is enabled. I would like to know if it ispossible to report or run a query against the logged events.

For example I have a timed rule that opens access to the end user. Thepurpose is to allow sufficient time for the user to establish a VPN connection.However I am sure some users will still keep re-activating the allow time basedrule so that they can surf and whatever else.

I would like to be able to report against the rule, to see how many timesusers have activated it. Or even better notify if the rule was activatedgreater than “X” amount of time with a certain time window.

Thanks in advance

There is no Host IPS/ePO functionality to perform this.  Firewall activity (Blocked/Allowed/Timed Group) does not create ePO events.  Firewall Intrusion events (Network IPS Signature 3702) are the only Firewall-related ePO events that are sent from clients.