Host IPS Firewall does not have a "log-only" mode state; once it's enabled, network traffic will be blocked (depending on configuration and ruleset). Adaptive (Learn) mode is the only mode that can be used to help build your firewall rule policy, other than constant review of blocked network traffic from the HIPS Activity log and writing fw rules manually. Adaptive mode has it's limitations though; even using Adaptive mode will require review of the Activity log to create fw rules for traffic that cannot be automatically learned.
KB73399 - FAQs for Host Intrusion Prevention 8.0
- Firewall Adaptive Mode - an aid for firewall tuning.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 ProductGuide
- FAQ — Adaptive mode
1 of 1 people found this helpful
I'll suggest you to deploy HIPS only few machines with different sites and mark them in Adaptive mode and uncheck Retain Client Rules options for them, After deploying these settings monitor HIPS events in ePO on daily or weekly basis to know what kind of events generated to your environment. Based on analysis you can create firewall rule and apply to existing machine and later you can deploy HIPS on remaining machines.
Hope above information will help you
mark them in Adaptive mode and uncheck Retain Client Rules options
Retain client rules option will need to remain ENABLED for HIPS Adaptive mode to work and properly report back client rules to the ePO server. If it is DISABLED, then every McAfee Agent policy enforcement will erase the learned rules, and only the learned rules at the time of the Agent ASCI will be sent to ePO.
After a period of time, once you've tuned all the clients rule, you can then disable the option, clear the client rules, then re-enable it for another period of time.