I'm importing rules learned in Adaptive mode for HIPS 8 Firewall and IPS. It works for the most part but I do see some problems. For example, in Firewall I created an exception for JAVA. For internal and external ports I left it wide open saying ports 1-65535 were allowed. I also removed the fingerprint from JAVA in the firewall rule. I also removed the defined hosts hoping all systems will be allowed in.
I still see events for JAVA while in Adaptive mode. This is weeks after I made the 'wide open' rule from the last sentence.
What am I doing wrong? Do I have to leave the fingerprint block filled instead of blank? Or, should I have something in Defined Hosts?
The rules that were learned in Adaptive mode, and added to your policy, still have some specific information in them that does not work for Java. Once a learned rule is put in the Firewall Rules policy, traffic that matches the rule would be allowed. If a new rule is being created, then you have some specific information in that Firewall Rule that does not allow the traffic that Adaptive mode is creating new client rules for.
Post examples if you can, but new rules are created because the existing rules don't match (hash, signer, path filename, local host, remote hosts, etc.). Compare your existing rule to the new Adaptive mode rule and see what doesn't match. Adjust the existing rule accordingly.
Thanks for the input, Kary. Here's an example - Dameware Remote. It comes in on port 6129 only, so I left that port as is. I took out the signature for the executable. Yet, I still get rules in Adaptive mode for Dameware. There are only 2 things I changed for the original rule
1. I took out the Networks learned, leaving it wide open, I believe
2. I took out the hash for the executable, leaving it wide open, I believe.
Do I have to have a hash? Do I have to have assigned networks? I assume without either that any executable with that path and filename would work and any network attempting that communcation would work.
You do not have to specify data if you don't want to (which loosens the rule), but if it's till not working, you might want to open a SR to further review of your rule. If new Adaptive mode rules are being created, then your firewall rule is not matching against the traffic generating the new client rules.
Kenobe - in your example, the Direction is "In" and you don't have "Local Host" specified in your "Network Options". The Adaptive mode will create a rule if the target machine you trying to Dameware to is not listed in your "Trusted Network". I also experienced that sometimes you need to restart the client machine when you push a new Firewall rule especially if the rule applies to a running service.