3 Replies Latest reply on Jul 24, 2014 2:45 PM by Kary Tankink

    Firewall Listening options

    shane.johnson

      Hi,

       

      I'm pretty new around here and attemtping to learn all of ePO in a short amount of time. I've been looking into an option to set the firewall in a listening and reporting mode so that we can determine what needs to be blocked through the firewall and what should be left open.

       

      I'm aware of the Adaptive mode, but still not sure exactly how it works as it seems that it actively makes changes to a firewall policy on the fly, and that is why you don't want too many systems set up to use it as it is resource-intensive...

       

      Is there any other way to set up the HIPS firewall to a reporting mode for Mac and Windows? That way I can monitor the firewall and determine [on my own] what needs to be changed?

        • 1. Re: Firewall Listening options
          Kary Tankink

          Host IPS Firewall does not have a "log-only" mode state; once it's enabled, network traffic will be blocked (depending on configuration and ruleset).  Adaptive (Learn) mode is the only mode that can be used to help build your firewall rule policy, other than constant review of blocked network traffic from the HIPS Activity log and writing fw rules manually.  Adaptive mode has it's limitations though; even using Adaptive mode will require review of the Activity log to create fw rules for traffic that cannot be automatically learned.

           

          KB73399 - FAQs for Host Intrusion Prevention 8.0

          https://kc.mcafee.com/corporate/index?page=content&id=KB73399

           

          • Firewall Adaptive Mode - an aid for firewall tuning. 

           

           

          PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 ProductGuide

          https://kc.mcafee.com/corporate/index?page=content&id=PD22894

           

          • FAQ — Adaptive mode
          • 2. Re: Firewall Listening options
            ansarias

            Hello,

             

            I'll suggest you to deploy HIPS only few machines with different sites and mark them in Adaptive mode and uncheck Retain Client Rules options for them, After deploying these settings monitor HIPS events in ePO on daily or weekly basis to know what kind of events generated to your environment. Based on analysis you can create firewall rule and apply to existing machine and later you can deploy HIPS on remaining machines.

             

            Hope above information will help you

            1 of 1 people found this helpful
            • 3. Re: Firewall Listening options
              Kary Tankink
              mark them in Adaptive mode and uncheck Retain Client Rules options

              Retain client rules option will need to remain ENABLED for HIPS Adaptive mode to work and properly report back client rules to the ePO server.  If it is DISABLED, then every McAfee Agent policy enforcement will erase the learned rules, and only the learned rules at the time of the Agent ASCI will be sent to ePO.

               

              After a period of time, once you've tuned all the clients rule, you can then disable the option, clear the client rules, then re-enable it for another period of time.