I’m attempting to enable McAfee HIP Firewall 8.0 on a series of machines configured as network sensors and I am having some difficulty creating a firewall rule to allow the sensor NICs to see all traffic, while enabling the firewall on the rest of the NICs. The sensor NICs are located behind network taps and are able to receive data, but cannot transmit.
Wireshark is one of the applications in use, but after adding a firewall rule allowing the Wireshark executable to receive data on any port from any host, the Activity Log shows that no application is associated with that traffic, so the rule is ineffective. I’ve tested some workaround ideas with mixed results.
Is there a best practice for applying separate firewall rules to different NICs in the same machine?