9 Replies Latest reply on Oct 14, 2010 6:12 AM by harris_s

    HIPS 7 on ePO 4.5 - Adaptive mode issues

      I have a rather perplexing problem:

      When the HIPs 7 extensions go into ePO 4.5, the permissions are not automatically assigned - to anyone - that includes the Global Admin Group. Mcafee writes:

      "When you install the Host IPS extension it adds a section to the permission sets without applying any permissions. The global administrators must grant permissions and create new permission sets.

      With Host Intrusion Prevention, permission can be granted for each feature of the product and whether the user has read or read/write permission.

      The global administrator also needs to give permissions to handle other items that work with Host Intrusion Prevention, including queries, dashboards, and notifications. To access information on the Host IPS tab under Reporting, view permissions are needed for Event Log, Systems, and System Tree access. For example, to analyze and manage Firewall Client rules found on the Host IPS tab, a user needs permissions to view events under Event Log, to view the System Tree tab under Systems, to view sections of the System Tree under System Tree access, and to view and change settings under the Host Intrusion Prevention 7.0 Firewall feature. For more information on permission sets, see the ePolicy Orchestrator 4.0 documentation."


      This basically means I have to assign the permission sets to Global Admin -BUT - there is no means to do this (is there ??) Now I'm trying to sort out a pilot for HIPs - and am unable to harvets rules from adaptive mode let aline most of the other data duer to permissions. I have created another user - and a permissions set that specifically allows that user to see all the rules created - and follows the instructions given - even that user does not see the data. Yep the property translator has been run, yep there have been full property wake up calls etc ad infinitum. Yep I've raised a call - BUT - in the meantime has anyone else seen this ?

      Agent version is 4.0.0.1444, HIPS is 7.0.0.976, User is :confused:
        • 1. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
          tonyb99
          just checked this on my 4.5 test server and logged in as the admin user it shows no permissions but it does allow me to then edit this and assign group admin full rights.

          Have you tried this and it doesnt work?

          what i mean is that global admin must have rights anyway otherwise it would not be able to assign them to group admin
          • 2. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
            Tony thanks for your mail.
            This is the perplexing bit - the manual says otherwise and yes I have assigned Group Admin rights to individuals and still recived nothing back from the nodes on the LAN that are running ther pilot.

            Events come back no problem - but nothing regards the Firewall in Adaptive mode. I figure I must be doing something wrong or over looking something obvious.
            • 3. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
              SuperDAT
              did you ever use epo4.0?
              if so...
              how were you able to harvest the rules from adaptive mode then?
              it should be the same process, minus a somewhat different console navigation.
              • 4. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
                Nope - HIPs went in with the 4.5 upgrade.

                I'm basing my logic on what I did with anything from 2.5 - 3, 3.5 etc Never had any issues with HIPs - but this new pilot has me foxed.
                • 5. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
                  SuperDAT
                  you should be able to go to
                  Menu>Reporting>Host IPS

                  any IPS or Firewall rules learned via adaptive mode by a particular machine is sent to this location.

                  The process is you monitor that location, and if a rule deems good then you can choose an action to 'create exception'(IPS) or 'create firewall rule', and add it to a particular active custom HIPS/FW policy

                  at least this is how ive done it.
                  • 6. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
                    Yep - totally with you there -

                    It doesn't.

                    Events I have - plenty of them. IPC CLient rule s- none, and the "Create Exceptions" tab is greyed out.

                    Firewall Client Rules - None, and again create firewall rules is greyed out which is why I assummed this was a permissions issue with respect to the permissions sets - which I have set.

                    Currently I am testing both build 976 and 1021 with no joy.
                    Agent is 4.0.0.1444. ePO 4.5. :confused:
                    • 7. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
                      SuperDAT
                      well im able to reproduce your issue, and the only way i CAN reproduce your same symptoms is if i leave my 'filter' to 'this group only' when in the Host IPS section.

                      I hope its not as simple as that for you, and at the same time i wish it is, if you know what i mean.

                      g'luck.
                      • 8. RE: HIPS 7 on ePO 4.5 - Adaptive mode issues
                        I've replicated your scenario before, but rechecked it none the less. Same situation. It's been set to this group and all subgroups. with no creation time filter either.

                        Very wierd.
                        • 9. Re: HIPS 7 on ePO 4.5 - Adaptive mode issues
                          harris_s

                          Sorry to resurrect an old post, but I'm having the same issue.  I have changed the permission sets so Group Admin has view and change permissions for all HIPS options. (I presume Group Admin encapsulates the 'admin' login).  But I'm not getting any of the firewall events to go to ePO to then create rules.  I also setup another user for myself and gave it permissions, similarly no reporting is being forwarded.  Did you ever get this resolved or am I missing something.  I'm currently testing HIPS on a small set of computers on our network, but struggling a lot and using this forum quite intensively to solve issues.  The does seem to be a lack of documentation, specifically for implementing HIPS of ePO 4.5.

                           

                          Hope you can help.