Can you please all help?
How can I edit the pre-defined rules in this version?
The rules which I posted above in the printscreen will not allow me to edit the rules.
Also, I did a test by connecting the internet connection directly to the Modem instead of my router and when I enabled the Firewall, I am unable to browse the web. So i can logon to my Modem from what my ISP gave me, but I cannot browse webpages. Then I disabled the Firewall and everything was OK.
In HIPS 7, it did not do this at all. Only in this version.
This is as designed. You cannot edit these rules. HIPS 8.0 shows all rules now, unlike HIPS 7.0 did (the Block All rule existed, but was hidden from the Client UI view).
The "Allow all outbound" rule appears if you have no enabled firewall rules in your firewall rule policy.
The "Block all traffic" is the standard "block all" rule. It provides the "if not allowed, then block" functionality that most firewalls are designed around.
Just build out and tune your firewall rules as per Best Practices (from the HIPS 8.0 Install guide).
Still VERY confusing indeed. I will read the manual carefully.
In version 7 by default right after installation was to BLOCK ALL OUTBOUND traffic, so then I would have to manually configure each application to allow outgoing or in Learn Mode. But version 8 is very confusing. Even when I enable Learn Mode, no window prompts either....This to me is very strange.
Also, when I enable the firewall with the these pre-defined rules, its not allowing me to use the WAN Mini port PPPoE which i use to connect DIRECTLY via my standard modem without any router. Why is this? With version 7, all went fine.
Somehow the firewall does not want to allow the standard WAN Mini port using PPPoE.
With the router, all works OK. Its just does not work, with the WAN modem itself.
Why is this?
With HIPS 7.0, you might have passed PPPOE traffic using the "Allow unsupported protocol traffic" option. This allows non-IP based protocol traffic to pass through the Firewall/NDIS drivers.
With HIPS 8.0, you can now create specific rules for non-IP protocol traffic. In the Firewall rules, there is a list of non-IP protocols to choose from, with a couple being PPPOE traffic. You can also specify the exact Ethertype number that needs to be passed as well. Review the Host IPS Activity log for blocked PPPOE traffic. It will state either one of the non-IP protocols for PPPOE, or an Ethertype number, so you can create a Firewall rule to allow this traffic. Basically, HIPS 8.0 has improved functionality for specifying non-IP protocol traffic or specific Ethertypes to block/allow. In HIPS 7.0, it was mostly "all or nothing" functionality.
Sorry for being a "pest" but seems to be almost clear now.
I was wondering that this does not make sense at all because why create rules when there is already a rule for ALL TRAFFIC OUTBOUND by default???
Still seems to make no sense to me.
And when I enable the Learn Modes, no alerts popping up. Why?
Start with a duplicate of a McAfee default ruleset, like Typical Corporate Environment. This policy does include an Allow Outbound TCP rule, but you can remove this rule if you want. You will need to build your ruleset according to your company's security policy. If a blanket Allow all out rule is inappropriate for your environment, then remove the rule and add other rules as needed.
Adaptive mode functionality only works if there is no other rule that blocks/allow the traffic and the traffic gets down to the Block all traffic rule. Please make sure to read the Host IPS Best Practices in the install guide, page 11.
PD22891 - Host Intrusion Prevention 8.0 Installation Guide
Something in this new version does not appear to be functioning right.
I created a rule to block outbound port 80, I am still able to browse the net.
Creating other rules will not work since the default rules such as Allow All Outbound is already set. Which ofc ourse allows every traffic. And if it cannot be edited, then whats the point afterall?
If your using version 8 yourself, please a post am image on what you have if do not mind.
Are you trying to use the Host IPS product without the McAfee Agent to manage it's policies? Looking at your screenshot, there should be other default rules that are not included, like Trusted Applications and McAfee Agent Communications. You must have the McAfee Agent installed and reporting to an ePO server to manage the Host IPS policies and rules.
I would suggest opening a McAfee Service Request with our Support team for further assistance.