3 Replies Latest reply on Jan 3, 2011 4:45 AM by mherrera

    Firewall blocking events sent back to ePO ?

      According to KB65559 (https://kc.mcafee.com/corporate/index?page=content&id=KB65559)  Firewall blocking events can't be seen in the ePO console ?


      Do you know any way possible to get them ?




        • 1. Re: Firewall blocking events sent back to ePO ?



          I am aware of the fact that the blocked events can be viewed on the client side under the activity log, but is there no way to get all the events on the EPO to correlate all the events from the endpoints. Please assist. We are using EPO 4.5



          • 2. Re: Firewall blocking events sent back to ePO ?

            This won't be a satisfying answer but you really don't want them. It is quite common for firewalls to block more traffic than they allow. This isn't bad per se, just that the firewall is ignoring unneeded traffic. The reason Host IPS doesn't communicate up the logs is a volume issue --- You could possibly be generating an event for every single firewall rule match. And that would really be a disaster for your SQL admin.


            However, I think it is an excellent FMR to ask for the ability to pull these logs remotely for inspection from time to time. We just don't want to auto-collect these. That would really be bad.

            • 3. Re: Firewall blocking events sent back to ePO ?

              The version 8.0 of HIPS can collect events blocked by Firewall?

              Although it is not so automatic, it would be nice to have this feature on demand.