4 Replies Latest reply on Aug 22, 2017 2:59 PM by maxsteel12

    Firewall blocking events sent back to ePO ?

      According to KB65559 (https://kc.mcafee.com/corporate/index?page=content&id=KB65559)  Firewall blocking events can't be seen in the ePO console ?

       

      Do you know any way possible to get them ?

       

      Thanx

      Thibo

        • 1. Re: Firewall blocking events sent back to ePO ?
          johannh

          Hi,

           

          I am aware of the fact that the blocked events can be viewed on the client side under the activity log, but is there no way to get all the events on the EPO to correlate all the events from the endpoints. Please assist. We are using EPO 4.5

           

          Regards

          • 2. Re: Firewall blocking events sent back to ePO ?
            petersimmons

            This won't be a satisfying answer but you really don't want them. It is quite common for firewalls to block more traffic than they allow. This isn't bad per se, just that the firewall is ignoring unneeded traffic. The reason Host IPS doesn't communicate up the logs is a volume issue --- You could possibly be generating an event for every single firewall rule match. And that would really be a disaster for your SQL admin.

             

            However, I think it is an excellent FMR to ask for the ability to pull these logs remotely for inspection from time to time. We just don't want to auto-collect these. That would really be bad.

            • 3. Re: Firewall blocking events sent back to ePO ?

              The version 8.0 of HIPS can collect events blocked by Firewall?

              Although it is not so automatic, it would be nice to have this feature on demand.

              • 4. Re: Firewall blocking events sent back to ePO ?
                maxsteel12

                The Firewall rule which you need to monitor for a specific or multiple system.

                Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.

                 

                Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.

                 

                Send a wake up agent and you will be able to see the firewall logs on ePO console.

                 

                **Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**