3 Replies Latest reply on Sep 1, 2017 3:54 PM by Kary Tankink

    Client rules not clearing from EPO

    eobiont

      I am having trouble with client generated rules.

       

      When clients create HIPS filrewall rules, those rules get sent up to the server on the next policy refresh and then they show up on in the client policy in EPO and get added to the HIPS rules in EPO so they can be promoted to the Central firewall if appropriate.  Once added to the central HIPS firewall rules policy, we delete the rules from the client and this removes the rules from the "client policy" area for the individual machine.

       

      Normally when this happens, some backend process runs to delete the rules from the database after the rules are removed from the client.  Then when running the report for client side rules, the rules disappear - as they should.

       

      Sometimes, this doesnt happen and the rules get stuck in the client side rules in the database.  Getting a properties of the client shows no client side firewall rule, however when running a report of client rules the old/removed rules still show up.  I am unsure how to get rid of them when this happens.

       

      I can look in the SQL table HIP8_Rule and the rules are indeed listed as rules in that table.  They almost always get removed normally, but I have no idea what to do when they dont.

       

      Has anyone experienced this problem?

       

      I am not sure what process dumps the rules from the EPO database - and how to make it try again.

        • 1. Re: Client rules not clearing from EPO
          Kary Tankink

          Normally when this happens, some backend process runs to delete the rules from the database after the rules are removed from the client.  Then when running the report for client side rules, the rules disappear - as they should.

          This is done via the Host IPS 8.0 Property Translator server task.  Leave the task in a DISABLED state, but run it manually to force client rule management on the ePO server side.

           

           

           

          Also, the Host IPS 8.0 Catalog Maintenance Task server task might help here as well. See https://kc.mcafee.com/corporate/index?page=content&id=KB80102 for what this task does.

           

          From the attached script, this task does:

          1. Deletes all dynamically learned IPS and Firewall rules or rules added manually on the client

          2. Deletes all the Executables, Applications and NamedNetworks, Locations and their associations with "Dynamic Rules"

          which are not used in any policy or catalog item that are left due to:

          a. deletion of dynamic rules on End points

          b. step (1) above

          • 2. Re: Client rules not clearing from EPO
            eobiont

            Thanks for the response.  I noticed the Catalog maintenance task, but wasn't sure what it did.  That sounds like something I would want to run periodically -- I have a TON of executables in the database that have been set up by out of control use of client side rules.  We have that clamped down now, but I was not sure how to clean up the garbage.

             

            I will kick those off next week --  Not something to try on a Friday afternoon before a three day weekend!

             

            Thanks for your suggestions and the link to the description of that task.

            • 3. Re: Client rules not clearing from EPO
              Kary Tankink

              Also, forgot to mention, the Host IPS 8.0 Property Translator server task already runs automatically every 15min inside the ePO Tomcat service, however, you can run it manually to force client rules changes to be immediate (and sometimes if the automatic one doesn't seem to be working; try it once at least).