cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Bug in Correlation Engine with variables ???

Jump to solution
I have removed the bottom filter. I have now only the top one. The host "DC10DNSEff11" is in the watchlist "PS_DNS-EffIP_hosts".
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 12 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Can you verify the HOME_NET variable is not overridden inside the policy tree, and set to inherit your values down to the correlation engine?

Brent

Re: Bug in Correlation Engine with variables ???

Jump to solution

How can I verify that the HOME_NET variable is not overridden? It was not set to inherit.

inherit.PNG

McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 14 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas

Re: Bug in Correlation Engine with variables ???

Jump to solution
I configured the local network under ESM Management, local network. When I configure the HOME_NET variable and select Inherit, it is overwritten by the inherited value and goes to "any". How can I change that?
Highlighted
McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 16 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution
If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas
McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 17 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Just in case, have you configurated the Local Network Settings?

You can configure "home net" in 2 places, that is the variable in the policy editor and the Homenet called Local Network that is a "setting".

Any IP addresses into Local Networks is considered "internal".   This is used for many correlation rules context. 

To configure Local Network:

  • Open the System Properties
  • Select Network Settings and click Local Network -> Setup
  • Enter the IP ranges that define your internal network.  Local Network is defined as a comma-separated list of IP addresses and/or IP ranges.  Click OK to save.

Lucas

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator