We use McAfee EPO. In there we have a HIPS Firewall rule policy which denies ICMP traffic globally on all HIPS Systems.
Now I do have one single system that I would allow to receive and respond to icmp traffic from a single IP Address.
The Firewall Policy has the option checked to not overwrite client rules when enforcing the policy.
So i log on to that particular system and unlock the hips interface. Then I add a rule that allows icmp in both directions from a specified source IP address.
When I then check the firewall log, the icmp request from the specified IP is still being blocked by the rule that was enforced on the client by the policy.
I tried moving the manually created rule above the block all icmp traffic rule, but as soon as I apply, the rule is automatically moved back down.
Now my question is this.
How exactly can I generally deny icmp traffic on all HIPS host, but still allow a single host to receive icmp traffic from a single ip address?
Maybe there is a general question here.
How can I use a policy to deny specific traffic on all clients but allow the same traffic on a single host anyway.
Is that even possible?
I would hate to have to remove the block icmp policy rule and having to configure every system I don't want to respond to icmp individually.
There has to be a way to get around this.
Thanks a lot for your support
Duplicate your firewall rules policy, remove the ICMP deny rule, and assign it to that system. No real other way around it. The other thing you could do is add a rule to your global Firewall rules policy to permit the ICMP traffic by adding a rule with that systems IP as the remote IP. I think this would only permit inbound ICMP to that system though, and wouldn't permit outbound.