6 Replies Latest reply on Mar 29, 2011 2:57 PM by horticainsurance

    Reading FireSvc.log

      I'm new to Host IPS 8 so I'm kind of all over the place in troubleshooting my problem. Is there a way to figure out what policy is allowing the network activity to pass?  Nothing is being logged in the Activity log and I have all the options checked. I look in the FireSvc.log and see the network activity.   It shows the action allowed, the policy id, and the reason.  Below is an example: 

       

      policy id = 4dd0ad0a-5507-4b18-a214-7240ccc0b4b3, reason = 4dd0ad0a-5507-4b18-a214-7240ccc0b4b3, action = FW_ACTION_ALLOW

       

      I'm not sure now how to figure out what the policy id iit s referencing . 

       

      Thanks,

        • 1. Re: Reading FireSvc.log

          i know that in

          Host Intrusion Prevention Signature 2224 may cause Internet Explorer browser termination or hang...is that whats happening?

          • 2. Re: Reading FireSvc.log

            No, my issue is that a lot of the traffic I’m trying to block is being allowed.  I want to block FTP in/out for some clients.  I was trying to block firefox from working on port 80 (just testing this rule).  I eventually created a IPS signature to block firefox from launching.  My concern was that a lot of traffic is being allowed out that I want to block.  I know the Mcafee NDIS driver is working because I disabled it in Device Manager and all traffic is stopped.  

            • 3. Re: Reading FireSvc.log
              Kary Tankink
              Is there a way to figure out what policy is allowing the network activity to pass?

              By policy, I assume you meant rule.  Review the Host IPS Client UI Activity Log for allowed and blocked traffic.  For each event, the firewall rule name will be at the very end (right side) of the event.  This will tell you exactly what firewall rule is allowing or blocking the network traffic.  Enable the respective logging option in the Activity Log:  "Log all blocked" and/or "Log all allowed", depending on what you are looking for.

               

              I'm not sure now how to figure out what the policy id iit s referencing .

               

              These policy IDs are the firewall rules inside the HIPS process space.  There is no reference to them in the policy or locally on the system.  They are not used for customer troubleshooting.  Use the HIPS Activity Log to troubleshoot firewall allowed/blocked traffic.

               

              Corrections by ktankink on 3/29/11 1:12:40 PM CDT
              • 4. Re: Reading FireSvc.log

                I was initially looking at the HIPS Activity log but it is part of the issue.  It is not logging any of the traffic. I have it checked to log both blocked and allowed.  Because I couldn't see anything in the activity log, I started looking at other logs.  My next guess was the install was not working correctly.  So I reinstalled the client and also installed HIPS 8.0 on another laptop.  The activity log on both laptops didn't show anything so I figured it had to be policy related.

                 

                thanks,

                • 5. Re: Reading FireSvc.log
                  Kary Tankink

                  Also, you said you enabled all the options, but make sure that the Traffic option is enabled under the Filter Options section of the Activity log.  If you have the Firewall enabled, and you aren't seeing any firewall events being logged in the Activity log while both Log all blocked and Log all allowed are enabled, then you might need to open a support ticket.  The HIPS Activity log is the best log to review for firewall rule issues.

                  • 6. Re: Reading FireSvc.log

                    I do have both Filter Options checked.  I have opened a support ticket.

                     

                    Thanks for your help,