cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Bug in Correlation Engine with variables ???

Jump to solution
I have removed the bottom filter. I have now only the top one. The host "DC10DNSEff11" is in the watchlist "PS_DNS-EffIP_hosts".
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 12 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Can you verify the HOME_NET variable is not overridden inside the policy tree, and set to inherit your values down to the correlation engine?

Brent

Re: Bug in Correlation Engine with variables ???

Jump to solution

How can I verify that the HOME_NET variable is not overridden? It was not set to inherit.

inherit.PNG

McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 14 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas

Re: Bug in Correlation Engine with variables ???

Jump to solution
I configured the local network under ESM Management, local network. When I configure the HOME_NET variable and select Inherit, it is overwritten by the inherited value and goes to "any". How can I change that?
McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 16 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution
If you already have configurated your Local Network setting, so I recommend you to use the context instead of the variables as EXTERNAL OR INTERNAL_NET.

Examples of Context:
Context (In) [Internal to Internal]
Context (In) [Internal to External]
Context (In) [External to Internal]
Context (In) [External to External]

Answering your second question related to inherit, I believe that you are seeing the rule at Correlation Engine Level. If you want to change the overall setting, you should change this value at the root policy. (Local ESM/Physical Display)

But as I said, try to work with context instead, this setting will respect your Local Network setting.

Lucas

View solution in original post

McAfee Employee lpinheir
McAfee Employee
Report Inappropriate Content
Message 17 of 17

Re: Bug in Correlation Engine with variables ???

Jump to solution

Just in case, have you configurated the Local Network Settings?

You can configure "home net" in 2 places, that is the variable in the policy editor and the Homenet called Local Network that is a "setting".

Any IP addresses into Local Networks is considered "internal".   This is used for many correlation rules context. 

To configure Local Network:

  • Open the System Properties
  • Select Network Settings and click Local Network -> Setup
  • Enter the IP ranges that define your internal network.  Local Network is defined as a comma-separated list of IP addresses and/or IP ranges.  Click OK to save.

Lucas

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community