2 Replies Latest reply on Sep 5, 2013 3:02 PM by kenobe

    Log HIPS Firewall Connections and Query

    kenobe

      Scenario: I wish to monitor for traffic to a specific IP range outside our internet network.  I with to be able to query if someone did try to connect and show the IP of that remote network. 

       

      I set the subnets to monitor at the top of my HIPS 8 firewall poliicy.  I accessed a web site on that network but no events were shown in my HIPS Event Log.  I suspect because we're using a proxy the traffic isn't actually being seen by HIPS on the local machine.

       

      Any ideas how I can get this to work?

       

      Thanks

       

      Ken

        • 1. Re: Log HIPS Firewall Connections and Query
          Kary Tankink

          If you have LOG ALL ALLOWED enabled in the HIPS Activity Log menu, then you should see the traffic going out from the system, however, like you said, if a browser is proxying, then the Activity Log is going to see traffic going from the client to the proxy server (not to the destination network you're monitoring).

           

          For non-proxy traffic, you should see it going to/from the monitored networks.

           

           

          FYI, just in case you aren't aware, HIPS does not generate ePO events for firewall traffic.  If you mark a Firewall rule as MARK AS INTRUSION, this will trigger Network IPS Siganture 3702 (if you have NIPS enabled).

          • 2. Re: Log HIPS Firewall Connections and Query
            kenobe

            Ok, your answer highlighted what's happening.

             

            - When allowing and logging traffic via a firewall rule, it logs LOCALLY only in the machine HIPS activity log.  No ePO event is generated.

            - When blocking and treating as intrusion, an ePO is event IS generated.