Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1661 Views 4 Replies Latest reply: Apr 1, 2013 4:21 PM by linoph RSS
kenobe Apprentice 90 posts since
Mar 15, 2012
Currently Being Moderated

Mar 13, 2013 3:04 PM

Creating Firewall and IPS Exceptions

Hi folks.

 

I'm importing rules learned in Adaptive mode for HIPS 8 Firewall and IPS.  It works for the most part but I do see some problems.  For example, in Firewall I created an exception for JAVA.  For internal and external ports I left it wide open saying ports 1-65535 were allowed.  I also removed the fingerprint from JAVA in the firewall rule.  I also removed the defined hosts hoping all systems will be allowed in.

 

I still see events for JAVA while in Adaptive mode.  This is weeks after I made the 'wide open' rule from the last sentence. 

 

What am I doing wrong?  Do I have to leave the fingerprint block filled instead of blank?  Or, should I have something in Defined Hosts?

 

Thanks, Ken

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Mar 19, 2013 3:26 PM (in response to kenobe)
    Re: Creating Firewall and IPS Exceptions

    The rules that were learned in Adaptive mode, and added to your policy, still have some specific information in them that does not work for Java.  Once a learned rule is put in the Firewall Rules policy, traffic that matches the rule would be allowed.  If a new rule is being created, then you have some specific information in that Firewall Rule that does not allow the traffic that Adaptive mode is creating new client rules for.

     

    Post examples if you can, but new rules are created because the existing rules don't match (hash, signer, path filename, local host, remote hosts, etc.).  Compare your existing rule to the new Adaptive mode rule and see what doesn't match.  Adjust the existing rule accordingly.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Mar 27, 2013 3:40 PM (in response to kenobe)
    Re: Creating Firewall and IPS Exceptions

    You do not have to specify data if you don't want to (which loosens the rule), but if it's till not working, you might want to open a SR to further review of your rule.  If new Adaptive mode rules are being created, then your firewall rule is not matching against the traffic generating the new client rules.

  • linoph Newcomer 6 posts since
    Sep 13, 2010
    Currently Being Moderated
    4. Apr 1, 2013 4:21 PM (in response to kenobe)
    Re: Creating Firewall and IPS Exceptions

    Kenobe - in your example, the Direction is "In" and you don't have "Local Host" specified in your "Network Options". The Adaptive mode will create a rule if the target machine you trying to Dameware to is not listed in your "Trusted Network". I also experienced that sometimes you need to restart the client machine when you push a new Firewall rule especially if the rule applies to a running service.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points