I am aware of the fact that the blocked events can be viewed on the client side under the activity log, but is there no way to get all the events on the EPO to correlate all the events from the endpoints. Please assist. We are using EPO 4.5
This won't be a satisfying answer but you really don't want them. It is quite common for firewalls to block more traffic than they allow. This isn't bad per se, just that the firewall is ignoring unneeded traffic. The reason Host IPS doesn't communicate up the logs is a volume issue --- You could possibly be generating an event for every single firewall rule match. And that would really be a disaster for your SQL admin.
However, I think it is an excellent FMR to ask for the ability to pull these logs remotely for inspection from time to time. We just don't want to auto-collect these. That would really be bad.
The version 8.0 of HIPS can collect events blocked by Firewall?
Although it is not so automatic, it would be nice to have this feature on demand.
The Firewall rule which you need to monitor for a specific or multiple system.
Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.
Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.
Send a wake up agent and you will be able to see the firewall logs on ePO console.
**Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**