This content has been marked as final. Show 5 replies
Firewall "events" are not sent back to the ePO server. Only IPS events.
The activity log is for local client viewing. It only retains 1 meg of text data. Afer that it starts appending.
An easy way to test this is to set signature 1002 or 1001 to log and try to modify or change a HIP file or HIP registry value. This should send an event to the ePO server.
Signature 1001 and 1002 are IPS signatures. Triggering those will send an event back to the ePO server.
I believe Eric wanted the blocked firewall packets that show up in the local UI to be sent back to the ePO server. As Joe pointed out, that's not possible. If HIP was to send every blocked packet that was logged, the ePO server would be overwhelmed in five minutes.
Here's what I want: I want to deploy HIPS to tens or hundreds of computer, with firewall used to block networking to all applications but the ones I list. So I added for example FIREFOX.EXE and IEXPLORE.EXE and allow these to communicate on ports 80 and 443. But when someone installs Safari as a browser, it won't communicate. I would like that to show up on my ePO server, that SAFARI.EXE is trying to communicate over port 80.
The only way you can get a FW rule to send events over to the ePO server is to create a BLOCK rule and mark the option "Treat Match as Intrusion".