2 Replies Latest reply on Sep 17, 2010 10:10 AM by Kary Tankink

    How to move rule from FirewallRuleList into a policy

      I having problems understanding how to get rules learnt in adaptive mode in to a policy - is there a simple explaination. I have set up a pilot of three worstations all set in adaptive mode - I can see the learnt rules in the client and following that process. How do I then find the rules learnt from the client on the epo server - well I can see the listing of the rules on the EPO box as FirewallRuleList 1 etc. This is where I get lost, what is the process to bring these rules into say new policy to apply to all machines to be used as my future base line.

      Many thanks for assistance     

        • 1. Re: How to move rule from FirewallRuleList into a policy

          Ok I may have just answered my own question.  I needed  the translator task, found in it in the forum - I may have missed it in the documentation and will reread but sure I never saw translator task mentioned

           

           

          Message was edited by: jezzaf on 17/09/10 05:09:24 CDT
          • 2. Re: How to move rule from FirewallRuleList into a policy
            Kary Tankink

            1. Client rules created locally on the client (manually or via adaptive/learn mode).

            2. McAfee Agent sends those rules to ePO server via ASCI (full property collection must be enabled in McAfee Agent policy; not minimal properly collection).

            3. Client node properties in ePO console show FirewallRuleList{#} and ProcessList{#} entries for client-side rules.

            4. Host IPS Property Translator task runs (automatically inside the ePO database every 15minutes).  ePO server Property Translator task is used if you wish to run the task immediately and not wait 15minutes.

            5. Firewall and App Blocking Client Rules section (in the ePO Reporting, Host IPS section of the menu) is populated with local client-side rules.

            6. Client Rules can then be added to your policy, as desired.

             

            To clear the Client Rules list of rules, you must wipe the node property client-side rules, by disabling the "Retain existing client rules when this policy is enforced" option.

             

            Basically:

            1. Learn rules with "Retain client rules" enabled

            2. Send to ePO server.

            3. Add rules to policy.

            4. Wipe client-side rules with "Retain client rules" disabled

            5. Go to Step#1.

             

            This is the process, that is listed in the Host IPS Best Practices guide in PD20796, for tuning the Host IPS product.

             

             

            Corrected PD article on 9/17/10 10:10:21 AM CDT