2 Replies Latest reply on Apr 14, 2011 10:37 AM by Kary Tankink

    Report against Firewall rule that is set to LOG

    casscoss

      I have several rules where logging is enabled. I would like to know if it ispossible to report or run a query against the logged events.

       

      For example I have a timed rule that opens access to the end user. Thepurpose is to allow sufficient time for the user to establish a VPN connection.However I am sure some users will still keep re-activating the allow time basedrule so that they can surf and whatever else.

       

      I would like to be able to report against the rule, to see how many timesusers have activated it. Or even better notify if the rule was activatedgreater than “X” amount of time with a certain time window.

       

      Thanks in advance

        • 1. Re: Report against Firewall rule that is set to LOG

          First you need to post what ePO version are you using I m using 45 so I will give instructions based on that

           

          I m thinking it might be possible to create a custom query to obtain your firewall logs for specfic users and computers that are assigned to that policy I m testing it now and I will let you know

          • 2. Re: Report against Firewall rule that is set to LOG
            Kary Tankink

            casscoss wrote:

             

            I have several rules where logging is enabled. I would like to know if it ispossible to report or run a query against the logged events.

             

            For example I have a timed rule that opens access to the end user. Thepurpose is to allow sufficient time for the user to establish a VPN connection.However I am sure some users will still keep re-activating the allow time basedrule so that they can surf and whatever else.

             

            I would like to be able to report against the rule, to see how many timesusers have activated it. Or even better notify if the rule was activatedgreater than “X” amount of time with a certain time window.

             

            Thanks in advance

             

            There is no Host IPS/ePO functionality to perform this.  Firewall activity (Blocked/Allowed/Timed Group) does not create ePO events.  Firewall Intrusion events (Network IPS Signature 3702) are the only Firewall-related ePO events that are sent from clients.